WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




CP 



PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 6 
H04L 9730 



Al 



(11) International Publication Number: WO 99/04531 

(43) International Publication Date: 28 January 1999 (28.01.99) 



(21) International Apphcation Number: PCT/US98/ 14892 

(22) International Filing Date: 17 July 1998 (17.07.98) 



(30) Priority Data: 

08/896,993 



18 July 1997 (18.07.97) 



US 



(71) Applicant: APPLE COMPUTER, INC. [US/US]; 1 Infinite 

Loop, M/S: 39-PAT, Cupertino, CA 95014 (US). 

(72) Inventors: CRANDALL, Richard, E.; 3754 S.E. Knight Street, 

Portland, OR 97202 (US). GARST, Blaine; 3307 Bay Court, 
Belmont, CA 94002 (US). 

(74) Agents: HECKER, Gary, A. et al.; Hecker & Hantaan, Suite 
2300, 1925 Century Park East, Los Angeles, CA 90067 
(US). 



(81) Designated States: CA, JP, European patent (AT, BE, CH, CY, 
DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, 
SE). 



Published 

With international search report. 
Before the expiration of the time limit for amending the 
claims and to be republished in the event of the receipt of 
amendments. 



(54) Title: METHOD AND APPARATUS FOR FAST ELLIPTICAL ENCRYPTION WITH DIRECT EMBEDDING 
(57) Abstract 

The present invention takes advantage of a quadratic-only ambiguity for x-coordinates in elliptic curve algebra as a means for 
encrypting plaintext directly onto elliptic curves. The encrypting of plaintext directly onto elliptic curves if refered to herein as "direct 
embedding". When performing direct embedding, actual plaintext is embedded as a •'+" or "-" x-coordinate. The sender specifies using 
an extra bit whether + or - is used so that the receiver can decrypt appropriately. In operation their are two public initial x-coordinates 
such that two points Pi+ and Pr lie respectively on two curves E + and E~. A parcel of text xtcxt is selected that is no more than q bits in 
length. The curve (E+ or E~) that contains Xtext is determined. A random number r is chosen and used to generate a coordinate x q using 
the public key of a receiving party. An elliptic add operation is used with the coordinate Xq and the parcel of text to generate a message 
coordinate x m . A clue Xc is generated using the random number and the point P from the appropriate curve E+/-. The sign that holds for 
xtexi is determined and called g. The message coordinate m m , the clue x c , and the sign g are sent as a triple to the receiving party. The 
receiving party uses the clue * c and its private key to generate coordinate x q . Using the sign g and coordinate ^, the text can be recovered. 
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METHOD AND APPARATUS FOR FAST ELLIPTICAL ENCRYPTION 

WITH DIRECT EMBEDDING 

This is a continuation-in-part of United States Patent Application 
5 08/758,688 which is a continuation of United States Patent Application 

484,264 (now issued as U. S. Patent Number 5,581,616, which is a continuation 
in part of United States Patent Application 08/167,408 filed December 14, 1993 
which is a continuation of Unites States Patent Application 07/955,479 filed 
October 2, 1992 (now issued as U. S. Patent 5,271,061) which is a continuation 
10 of United States Application Serial Number 07/761,276 filed September 17, 
1991 (now issued as U. S. Patent Number 5,159,632). 

BACKGROUND OF THE PRESENT INVENTION 

15 1. FIELD OF THE INVENTION 

This invention relates to the field of cryptographic systems. 

2. BACKGROUND ART 

20 

A cryptographic system is a system for sending a message from a sender 
to a receiver over a medium so that the message is "secure", that is, so that 
only the intended receiver can recover the message. A cryptographic system 
converts a message, referred to as "plaintext" into an encrypted format, 
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known as "ciphertext." The encryption is accomplished by manipulating or 
transforming the message using a "cipher key" or keys. The receiver 
"decrypts" the message, that is, converts it from ciphertext to plaintext, by 
reversing the manipulation or transformation process using the cipher key or 
5 keys. So long as only the sender and receiver have knowledge of the cipher 
key, such an encrypted transmission is secure. 

A "classical" cryptosystem is a cryptosystem in which the enciphering 
information can be used to determine the deciphering information. To 
10 provide security, a classical cryptosystem requires that the enciphering key be 
kept secret and provided to users of the system over secure channels. Secure 
channels, such as secret couriers, secure telephone transmission lines, or the 
like, are often impractical and expensive. 

15 A system that eliminates the difficulties of exchanging a secure 

enciphering key is known as "public key encryption." By definition, a public 
key cryptosystem has the property that someone who knows only how to 
encipher a message cannot use the enciphering key to find the deciphering 
key without a prohibitively lengthy computation. An enciphering function is 

20 chosen so that once an enciphering key is known, the enciphering function is 
relatively easy to compute. However, the inverse of the encrypting 
transformation function is difficult, or computationally infeasible, to 
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compute. Such a function is referred to as a "one way function" or as a "trap 
door function." In a public key cryptosystem, certain information relating to 
the keys is public. This information can be, and often is, published or 
transmitted in a non-secure manner. Also, certain information relating to 
5 the keys is private. This information may be distributed over a secure 
channel to protect its privacy, (or may be created by a local user to ensure 
privacy). 

A block diagram of a typical public key cryptographic system is 
10 illustrated in Figure 1. A sender represented by the blocks within dashed line 
100 sends a plaintext message Ptxt to a receiver, represented by the blocks 
within dashed line 115. The plaintext message is encrypted into a ciphertext 
message C, transmitted over some transmission medium and decoded by the 
receiver 115 to recreate the plaintext message Ptxt. 

15 

The sender 100 includes a cryptographic device 101, a secure key 
generator 102 and a key source 103. The key source 103 is connected to the 
secure key generator 102 through line 104. The secure key generator 102 is 
coupled to the cryptographic device 101 through line 105. The cryptographic 
20 device provides a ciphertext output C on line 106. The secure key generator 
102 provides a key output on line 107. This output is provided, along with 
the ciphertext message 106, to transmitter receiver 109. The transmitter 



BNSOOCID: <WO 



9904S31A1 i > 



SUBSTITUTE SHEET (RULE 26) 



WO 99/04531 



PCT/US98/14892 



receiver 109 may be, for example, a computer transmitting device such as a 
modem or it may be a device for transmitting radio frequency transmission 
signals. The transmitter receiver 109 outputs the secure key and the 
ciphertext message on an insecure channel 110 to the receivers transmitter 

5 receiver 111. 

The receiver 115 also includes a cryptographic device 116, a secure key 
generator 117 and a key source 118. The key source 118 is coupled to the 
secure key generator 117 on line 119. The secure key generator 117 is coupled 
10 to the cryptographic dev.e 116 on line 120. The cryptographic device 116 is 
coupled to the transmitter reaver 111 through line 121. The secure key 
generator 117 is coupled to the transmitter receiver 111 on Imes 122 and 123. 

In operation, the sender 100 has a plaintext message Ptxt to send to the 
15 receiver 115. Both the sender 100 and the receiver 115 have cryptographic 

devices 101 and 116, respectively, that use the same encryption scheme. There 
are a number of suitable cryptosystems that can be implemented in the 
cryptographic devices. For example, they may implement the Data 
Encryption Standard (DES) or some other suitable encryption scheme. 

20 

Sender and receiver also have secure key generators 102 and 117, 
respectively. These secure key generators implement any one of several well 
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known public key exchange schemes. These schemes, which will be described 
in detail below, include the Diffie-Hellman scheme, the RSA scheme, the 
Massey-Omura scheme, and the ElGamal scheme. 

5 The sender 100 uses key source 103, which may be a random number 

generator, to generate a private key. The private key is provided to the secure 
key generator 102 and is used to generate an encryption key eg- The 
encryption key ex is transmitted on lines 105 to the cryptographic device and 
is used to encrypt the plaintext message Ptxt to generate a ciphertext message 

10 C provided on line 106 to the transmitter receiver 109. The secure key 

generator 102 also transmits the information used to convert to the secure key 
from key source 103 to the encryption key ejc- This information can be 
transmitted over an insecure channel, because it is impractical to recreate the 
encryption key from this information without knowing the private key. 

15 

The receiver 115 uses key source 118 to generate a private and secure . 
key 119. This private key 119 is used in the secure key generator 117 along 
with the key generating information provided by the sender 100 to generate a 
deciphering key D^. This deciphering key Djc is provided on line 120 to the 
20 cryptographic device 116 where it is used to decrypt the ciphertext message 
and reproduce the original plaintext message. 
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TV>p Diffie- Hpllman Scheme 

A scheme for public key exchange is presented in Diffie and Hellman, 
"New Directions in Cryptography," IEEE Trans. Inform. Theory, vol. IT-22, pp. 

5 644-654, Nov. 1976 (The "DH" scheme). The DH scheme describes a public key 
system based on the discrete exponential and logarithmic functions. If "<f is a 
prime number and V is a primitive element, then X and Y are in a 1:1 
correspondence for 1<X, Y<(q - D where Y = a x mod and X = loga Y over 
the finite field. The first discrete exponential function is easily evaluated for a 

10 given « and X, and is used to compute the public key Y. The security of the 
Diffie-Hellman system relies on the fact that no general, fast algorithms are 
known for solving the discrete logarithm function X = log. Y given X and Y. 

In a Diffie-Hellman system, a directory of public keys is published or 
15 otherwise made available to the public. A given public key is dependent on 
its associated private key, known only to a user. However, it is not feasible to 
determine the private key from the public key. For example, a sender has a 
public key, referred to as "myPub". A receiver has a public key, referred to 
here as "theirPub". The sender also has a private key, referred to here as 
20 "myPri". Similarly, the receiver has a private key, referred to here as 
"theirPri". 
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There are a number of elements that are publicly known in a public key 
system. In the case of the Diffie-Hellman system, these elements include a 
prime number p and a primitive element g. p and g are both publicly known. 
Public keys are then generated by raising g to the private key power (mod p). 
5 For example, a senders public key my Pub is generated by the following 
equation: 

my Pub = gny?" (mod p) Equation (1) 

10 Similarly, the receiver's public key is generated by the equation: 

theirPub = gtheirPh ( mod p ) Equation (2) 

Public keys are easily created using exponentiation and modulo 
15 arithmetic. As noted previously, public keys are easily obtainable by the 
public. They are published and distributed. They may also be transmitted 
over non-secure channels. Even though the public keys are known, it is very 
difficult to calculate the private keys by the inverse function because of the 
difficulty in solving the discrete log problem. 

20 

Figure 2 illustrates a flow chart that is an example of a key exchange 
using a Diffie-Hellman type system. At step 201, a prime number p is chosen. 
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10 



This prime number p is public. Next, at step 202, a primitive root g is chosen. 
This number g is also publicly known. At step 203 an enciphering key e K is 
generated, the receiver's public key (theirPub) is raised to the power of the 
sender's private key (myPri). That is: 

(theirPub)"V Pri (mod p) Equation (3) 

We have already defined theirPub equal to g»*«VPri (mod p). Therefore 
Equation 3 can be given by: 

.(gtheirPri)myPri ( moc j p ) Equation (4) 



This value is the enciphering key e K that is used to encipher the 
plaintext message and create a ciphertext message. The particular method for 
15 enciphering or encrypting the message may be any one of several well known 
methods. Whichever encrypting message is used, the cipher key is the value 
calculated in Equation 4. The ciphertext message is then sent to the receiver 
at step 204. 

20 At step 205, the receiver generates a deciphering key D K by raising the 

public key of the sender {myPub) to the private key of the receiver {theirPri) as 
follows: 
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Dk = (myPub) theirPri ( mo d p ) Equation (5) 

From Equation 1, myPub is equal to g™jP ri (mod p). Therefore: 

5 

q k _ (gmyPriyheirPri ( mo d p) . Equation (6) 

Since (g A ) B is equal to (£ B ) A , the encipher key ej< and the deciphering 
key Dk are the same key. These keys are referred to as a "one-time pad." A 
10 one-time pad is a key used in enciphering and deciphering a message. 

The receiver simply executes the inverse of the transformation 
algorithm or encryption scheme using the deciphering key to recover the 
plaintext message at step 206. Because both the sender and receiver must use 
15 their private keys for generating the enciphering key, no other users are able 
to read or decipher the ciphertext message. Note that step 205 can be 
performed prior to or contemporaneously with any of steps 201-204. 

RSA 

20 

Another public key cryptosystem is proposed in Rivest, Shamir and 
Adelman, M On Digital Signatures and Public Key Cryptosystems," Commun. 
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Ass. Comput. Mach., vol. 21, pp. 120-126, Feb. 1978 (The "RSA" scheme). The 
RSA scheme is based on the fact that it is easy to generate two very large 
prime numbers and multiply them together, but it is much more difficult to 
factor the result, that is, to determine the very large prime numbers from 
their product. The product can therefore be made public as part of the 
enciphering key without compromising the prime numbers that effectively 
constitute the deciphering key. 

In the RSA scheme a key generation algorithm is used to select two 
large prime numbers p and q and multiply them to obtain n = pq. The 
numbers p and q can be hundreds of decimal digits in length. Then Eulers 
function is computed as +(n) = (p - D(<? - D- ( ♦<") is the number of integers 
between 1 and n that have no common factor with n). <K") has the property 
that for any integer a between 0 and n - 1 and any integer k. a k *W + 1 = a 
(mod n). 

A random number E is then chosen between 1 and <K") - 1 and which 
has no common factors with +(n). The random number E is the enciphering 
key and is public. This then allows D = E " l (mod «n)) to be calculated easily 
using an extended version of Euclid's algorithm for computing the greatest 
common divisor of two numbers. D is the deciphering key and is kept secret. 
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The information (E, n) is made public as the enciphering key and is 
used to transform unenciphered, plaintext messages into ciphertext messages 
as follows: a message is first represented as a sequence of integers each 
between 0 and n - 1. Let P denote such an integer. Then the corresponding 
5 ciphertext integer is given by the relation C = P E (mod n). -The information 
(D, n) is used as the deciphering key to recover the plaintext from the 
ciphertext via P = C° (mod n). These are inverse transformations because 
qD _ pED _ p/c<J>(n) + 1 = P. 



10 MASSE Y-OMURA 



The Massey-Omura cryptosystem is described in U.S. Patent Number 
4,567,600. In the Massey cryptosystem, a finite field F q is selected. The field F q 
is fixed and is a publicly known field. A sender and a receiver each select a 
15 random integer e between 0 and q-l so that the greatest common 

denominator CCD. (e, q-l) = 1. The user then computes its inverse D = e' 1 
(mod q-l) using the Euclidean algorithm. Therefore, De = 1 (mod q-l). 

The Massey-Omura cryptosystem requires that three messages be sent 
20 to achieve a secure transmission. Sender A sends message P to receiver B. 
Sender A calculates random number and receiver B calculates random 
number eg. The sender first sends the receiver the element P e /\> The receiver 
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is unable to recover P since the receiver does not know e A . Instead, the 
receiver raises the element to his own private key e B and sends a second 
message P e A e B back to the sender. The sender then removes the effect of e A 
by raising the element to the D A -th power and returns P' B to the receiver B. 
5 The receiver B can read this message by raising the element to the D B -th 
power. 

ELGAMAL rrcYPTOSYSTEM 



10 



The ElGamal public key cryptosystem utilizes a publicly known finite 
field Fq and an element g of F> Each user randomly chooses an integer a in 
the range 0 > a > q-l. The integer a is the private deciphering key. The public 
enciphering key is the element f of F> To send a message represented by P 
to a user A, an integer K is randomly chosen. A pair of elements of F q , 
15 namely (g K , Pg aK ) are sent to A. The plaintext message Ptxt is encrypted with 
the key g aK - The value g K is a "clue" to the receiver for determining the 
plaintext message Ptxt. However, this clue can only be used by someone who 
knows the secure deciphering key "a". Tne receiver A, who knows "a", 
recovers the message P from this pair by raising the first element g * to the a- 
20 th power, forming and dividing the result into the second element. 
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5iumc CURVES 

Another form of public key cryptosystem is referred to as an "elliptic 
curve" cryptosystem. An elliptic curve cryptosystem is based on points on an 

5 elliptic curve E defined over a finite field F. Elliptic curve cryptosystems rely 
for security on the difficulty in solving the discrete logarithm problem. An 
advantage of an elliptic curve cryptosystem is there is more flexibility in 
choosing an elliptic curve than in choosing a finite field. Nevertheless, 
elliptic curve cryptosystems have not been widely used in computer-based 

10 public key exchange systems due to their computational intensiveness. m 
Computer-based elliptic curve cryptosystems are slow compared to other 
computer public key exchange systems. Elliptic curve cryptosystems are 
described in "A Course in Number Theory and Cryptography" (Koblitz, 1987, 
Springer-Verlag, New York). 

15 

To date, elliptic curve schemes have been used for key exchange and 
for authentication. However, there has not been a suitable scheme proposed 
for using elliptic curve algebra as an encryption scheme itself. 
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SUMMA&y. ™ USE tmvfntioN 

The present invention provides means for encrypting plaintext directly 
as points on elliptic curves. This direct embedding using elliptic curve 
algebra avoids an intermediate encryptor stage, such as a so-called DES stage. 
The ease of embedding in this invention is a result of choosing elliptic curve 
parameterizations over a field F p , where p is a prime number such that 
p = 21 - C = 3 (mod 4). The integers q and C are chosen such that p be prime, 
with C (possibly negative) being suitably small in magnitude so that fast 
arithmetic can be performed. 

The ability to treat plaintext directly as points on one of two related 
curves is a consequence of choosing a prime p such that p = 3 (mod 4). The 
process of choosing which curve contains the plaintext point is referred to 
herein as "direct embedding." Direct embedding avoids the non- 
deterministic algorithm of Koblitz and other, typically complicated 
approaches. 

There are two modes of operation, the first mode being used by the 
second as a preliminary step. Assume there are two elliptic curves denoted E + 
and its twist E-, initial points on these curves P x + and Pr, public key points for 
both curves theirPub*, theirPub" and ourPub*, ourPub" derived by elliptic 
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multiplication respectively from the initial points and private keys theirPri 
and ourPri. A parcel of plaintext x text is selected that falls in the range 0 to 
p-1. It is determined whether E + or E _ contains the point with x-coordinate 
jttext- A random number r is chosen and used to generate a new coordinate Xq 
5 on that curve by elliptic curve multiplication of the appropriate public point 
theirPub\ Assume an elliptic_add operation that can compute the x- 
coordinates of both the addition and subtraction of two points on an elliptic 
curve, but that does not distinguish which result corresponds to which 
operation. An elliptic^add operation of the point x te xt and x a is performed, 

10 and one of the two results is chosen to generate the encrypted message point 
x m (e.g., x m is either x text + *q or x text - x q ). The inverse elliptic_add operation 
is performed upon x te xt and x^ to determine which of the results reverse the 
operation (x m + Xq or x m - Xq will reveal x te xt)/ an( 3 the choice is denoted as g. 
A clue x c is formed by elliptic multiplication of the random number r and the 

15 appropriate initial public point P±. The triplet {x m/ g, x c ) is sent to the receiver. 
The receiving party computes x^ by elliptic multiplication of x c by theirPri, 
and computes elliptic_add on x m and x^ , and uses g to select the result x m . 
The x-coordinate of x m is the original parcel of plaintext. 

20 The second mode of operation reduces the size of each encrypted parcel 

by establishing a synchronized random number generator between the sender 
and receiver by using, for example, the first mode to transmit two random 
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numbers r and s. The first synchronization clue is formed by successive 
elliptic multiplication of theirPub* by ourPri and r by the sending party, and 
ourPub by theirPri* and r by the receiving party. Successive clues x c i uen are 
formed by choosing the first result of the elliptic_add operation upon the clue 
x c lue„-i and the point formed by elliptic multiplication of the initial -point Pl± 
by s. Each parcel of plaintext is then encrypted by first determining which 
curve contains the point x text , and the first result of elliptic_add of x tex t and 
x c lue„ forming x m , and again noting as g the position of x m in the results of an 
elliptic_add upon x m and x cluen . The pair (x m , g) is sent to the receiver. The 
receiver determines which curve x m belongs upon and performs elliptic_add 
upon x m and x cluen , and uses g to select the original message parcel x m from 

the two results. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of a prior art public key exchange system. 

Figure 2 is a flow diagram of a prior art public key exchange transaction. 

Figure 3 is a flow diagram illustrating the key exchange of the present 
invention. 

Figure 4 is a block diagram of a computer system on which the present 
invention may be implemented. 

Figure 5 is a diagram illustrating the shift and add operations for 
performing mod p arithmetic using Mersenne primes. 

Figure 6 is a diagram illustrating the operations for performing mod p 
arithmetic using Fermat numbers. 

Fignre 7 is a diagram illustrating the operations for performing mod p 
arithmetic using fast class numbers. 

Figure 8 is a block diagram of the present invention. 
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Figure 9 is a flow diagram illustrating the operation of one 
embodiment of the present invention. 

5 Figure 10 is a flow diagram illustrating the generation of a digital 

signature using the present invention. 

Figure 11 is a flow diagram illustrating the authentication of a digital 
signature in the present invention. 

10 

Figure 12 illustrates a block diagram for implementing the digital 
signature scheme of the present invention. 

Figure 13 is a flow diagram of encrypting a plaintext message using 
15 direct embedding. 

Figure 14 is a flow diagram of decrypting the encrypted message of 
Figure 13. 

20 Figure 15 is a flow diagram of encrypting a plaintext message using 

expansionless direct embedding. 
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Figure 16 is a flow diagram of decrypting the encrypted message of 
Figure 15. 
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DETAILED DESCRIPT ION OF THE INVENTION 

An elliptic curve encryption scheme is described. In the following 
description, numerous specific details, such as number of bits, execution time, 
5 etc., are set forth in detail to provide a more thorough description of the 

present invention. It will be apparent, however, to one skilled in the art, that 
the present invention may be practiced without these specific details. In other 
instances, well known features have not been described in detail so as not to 
obscure the present invention. 

10 

A disadvantage of prior art computer-implemented elliptic curve 
encryption schemes is they are unsatisfactorily slow compared to other prior 
art computer-implemented encryption schemes. The modulo arithmetic and 
elliptic algebra operations required in a prior art elliptic curve cryptosystem 

15 require that divisions be performed. Divisions increase computer CPU 
(central processing unit) computational overhead. CPU"s can perform 
addition and multiplication operations more quickly, and in fewer processing 
steps, than division operations. Therefore, prior art elliptic curve 
cryptosystems have not been previously practical or desirable as compared to 

20 other prior art cryptosystems, such as Diffie-Hellman and RSA schemes. 
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The present invention provides methods and apparatus for 
implementing an elliptic curve cryptosystem for public key exchange that 
does not require explicit division operations. The advantages of the preferred 
embodiment of the present invention are achieved by implementing fast 
5 classes of numbers, inversionless parameterization, and FFT multiply mod 
operations. 

Elliptic Curve Algebra 

10 The elliptic curve used with the present invention is comprised of 

points (x,y) £ F k XF pk satisfying: 

y 2 = x 3 + cx 2 + ax + b Equation (7a) 

or 

15 -y2 = x 3 + cx 2 + ax + b Equation (7b) 

together with a "point at infinity" A. 

The case where b = 0 and a = 1 is known as the "Montgomery 
20 parameterization" and will later be used for purposes of illustration: 

±y 2 = x 3 + c x 2 + x Equation (7c) 
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and the case where c=0 is known as the Weierstrass parameterization, and 
will also be used for purposes of illustration: 

±y2 = x 3 + ax + b Equation (7d) 

Sender ("our") and recipient ("their") private keys are assumed to be 
integers, denoted: 

ourPri, theirPri £ Z 

Next, parameters are established for both sender and recipient. The 
parameters are: 

q, so that p = 2^ - C is a fast class number (q is the "bit-depth"). The 

value q is a publicly known value. 

p and k, so that F * will be the field, and where prime p and integer k 

are publicly known. 

{x\,y\) e Fpjt , the initial x-coordinate, which is publicly known. 

a ,b,c e F ^ / integer curve defining parameters, all publicly known. 
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The present invention uses an operation referred to as "elliptic 
multiplication" and represented by the symbol M °'\ The operation of elliptic 
multiplication is well known in the literature, and, for purposes of this 
patent, will be illustrated using the Weierstrass parameterization of Equation 
5 7d as follows. Similar rules are obtained for other parameterizations, such as 
the Montgomery parameterization. 

An initial point {X\, Y\) on the curve of Equation 7d is defined. For the 
set of integers n, expression n ° (Xi, Y\) denotes the point (X n , Y n ) obtained via 
10 the following relations, known as adding and doubling rules. 

Xn + x = ((Y„ - Yi)/(X n - Xi))2 - Xi - X n Equation (8) 

Yn + l = -Y\ + ((Xn - Yi)/(X„ - Xi))(Xi - X n + i) Equation (9) 

15 When (Xi, Yi) = (X„, Y n ), the doubling relations to be used are: 

X n + i = ((3Xi2 + a)/2Yi)2 - 2Xi; Equation (10) 

Yn + 1 = -Yi + ((3Xi 2 + a)/2Y!)(Xi-X n + i) Equation (11) 

20 Because arithmetic is performed over the field F all operations are to 

be performed (mod p). In particular, the division operation in equations 8 to 
11 involve inversions (mod p). 
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Parameterizations other than Weierstrass are easily formulated. 
Elliptic Curve Public Kev Exchange 

5 

It is necessary that both sender and recipient use the same set of such 
parameters. Both sender and recipient generate a shared secret pad, as a 
particular x-coordinate on the elliptic curve. 

10 In the following description, the terms "our" and "our end" refer to the 

sender. The terms "their" and "their end" refer to the receiver. This 
convention is used because the key exchange of the present invention may be 
accomplished between one or more senders and one or more receivers. Thus, 
"our" and "our end" and "their" and "their end" refers to one or more 

15 senders and receivers, respectively. 

The public key exchange of the elliptic curve cryptosystem of the 
present invention is illustrated in the flow diagram of Figure 3. 

20 Step 301- At our end, a public key is computed: ourPub e F ^ X F^ 

ourPub = (ourPri) ° {x\, y\) Equation (12) 
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Step 302 - At their end, a public key is computed: theirPub e F^ k X F^ k 
theirPub = (theirPri) ° {xi, yi) Equation (13) 

5 

Step 303 - The two public keys ourPub and theirPub are published, and 
therefore known to all users. 



10 



15 



Step 304 - The shared pad is computed at our end: ourPad e F pk X F k 

purPad = (ourPri) ° (theirPub) = (ourPri) ° (theirPri) ° (*i, y a ) 

Equation (14) 

Step 305 - The shared pad is computed at their end: theirPad £ F k X F k 

theirPad = {theirPri) ° (ourPub) = (theirPri) ° (ourPri) ° (.t X/ yi) 

Equation (15) 



The points on an elliptic curve form an abelian group under the 
20 adding and doubling operations above. Therefore, the order of operation of 
equations 14 and 15 can be changed without affecting the result of the 
equations. Therefore: 
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ourPad = {ourPri) ° (theirPri) ° (xi, yi) = (theirPri) ° (ourPri") ° (x lf yi ) 

= theirPad Equation (16) 

Since both the sender and receiver use the same pad, the message 
encrypted by the sender can be decrypted by the recipient. (Note that step 305 
can be executed prior to or contemporaneously with any of steps 301-304). 

At step 306, the sender encrypts plaintext message Ptxt using ourPad, 
and transmits ciphertext message C to the receiver. At step 307, the receiver 
decrypts ciphertext message C to recover plaintext message Ptxt, using 
theirPad. 

Fast Class Numbers 

Elliptic curve cryptosystems make use of modulo arithmetic to 
determine certain parameters, such as public keys, one time pads, etc. The use 
of modulo arithmetic serves the dual purpose of limiting the number of bits 
in the results of equations to some fixed number, and providing security. The 
discrete log problem is asymmetrical in part because of the use of modulo 
arithmetic. A disadvantage of modulo arithmetic is the need to perform 
division operations. The solution to a modulo operation is the remainder 
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when a number is divided by a fixed number. For example, 12 mod 5 is equal 
to 2. (5 divides into 12 twice with a remainder of 2, the remainder 2 is the 
solution). Therefore, modulo arithmetic requires division operations. 

5 Special fast classes of numbers are used in the present invention to 

optimize the modulo arithmetic required in the enciphering and deciphering 
process by eliminating the need for division operations. The class of numbers 
used in the present invention is generally described by the form 2^ - C where 
C is an odd number and is relatively small, (e.g. no longer than the length of a 
10 computer word), and where C = 1 (mod 4). 

When a number is of this form, modulo arithmetic can be 
accomplished using shifts, trivial multiplies, and adds only, eliminating the 
need for divisions. One subset of this fast class is known as "Mersenne" 
15 primes, and are of the form 2^-1. Another class that can be used with the 
present invention are known as "Fermat" numbers of the form 2^+1, where 
q is equal to 2 m . Fermat numbers may be prime or not prime in the present 
invention. 

20 The present invention utilizes elliptic curve algebra over a finite field 

F k where p = 2^ - C and p is a fast class number. Note that the expression 
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2^ - C does not result in a prime number for all values of q and C. For 
example, when q is equal to 4, and C is equal to 1, 2^ - C is equal to 15, not a 
prime. However, when q has a value of 2, 3, or 5, and C = 1, the expression 
2^ - C generates the prime numbers 3, 7, and 31. 

5 

The present invention implements elliptic curves over a finite field 
Fpk where p is 2** - C is an element of a fast class of numbers. When practiced 

on a computer using binary representations of data, the use of fast class 
numbers allows the (mod p) operations to be accomplished using only shifts 
10 and adds. By contrast, the use of "slow" numbers requires that time 

consuming division operations be executed to perform (mod p) arithmetic. 
The following examples illustrate the advantage of fast class number (mod p) 
arithmetic. 

15 Example 1: base 10 (mod p) division 

Consider the 32 bit digital number n, where n = 
11101101111010111100011100110101 (In base 10 this number is 3,991,652,149). 

20 Now consider n (mod p) where p is equal to 127. The expression n 

mod 127 can be calculated by division as follows: 
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31430331 



127 / 3991652149 
/ 381 



181 
127 
546 
508 
385 
381 
42 
0 



421 
381 



404 

381 
239 
127 
112 



The remainder 112 is the solution to n mod 127. 

Example 2: Mersenne Prime (mod p) Arithmetic 

In the present invention, when p is a Mersenne prime where p = 2^ - 1, 
the (mod p) arithmetic can be accomplished using only shifts and adds, with 
no division required. Consider again n (mod p) where n is 3,991,652,149 and p 
is 127. When p is 127, q is equal to 7, from p = 2 q - 1; 127 = 2 7 - 1 = 128 - 1 = 
127. 
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The (mod p) arithmetic can be accomplished by using the binary form 
of n, namely 11101101111010111100011100110101. Referring to Figure 5, the 
shifts and adds are accomplished by first latching the q least significant bits 
5 (LSB's) 501 of n, namely 0110101. The q LSB's 502 of the remaining digits, 
namely 0001110, are then added to q digits 501, resulting in sum 503 (1000011). 
The next q LSB's 504 of n, (0101111), are added to sum 503, generating sum 
505, (1110010). Bits 506 of n (1101111) are added to sum 505, to result in sum 
507, (11100001). 

10 

The remaining bits 508 (1110), even though fewer in number than q 
bits, are added to sum 507 to generate sum 509 (11101111). This sum has 
greater than q bits. Therefore, the first q bits 510 (1101111) are summed with 
the next q bits 511 (in this case, the single bit 1), to generate sum 512 (1110000). 
15 This sum, having q or fewer bits, is the solution to n (mod p). 1110000 = 2 6 + 
25 + 24 = 64 +32 + 16 = 112. 



Thus, the solution 112 ton mod 127 is determined using only shifts 
and adds when an elliptic curve over a field of Mersenne primes is used. The 
20 use of Mersenne primes in conjunction with elliptic curve cryptosystems 
eliminates explicit divisions. 
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Example 3: Fermat N umber (mod p) Arithmetic 

In the present invention, when p is a Fermat number where p = 2^ + 1, 
the (mod p) arithmetic can be accomplished using only shifts, adds, and 
5 subtracts (a negative add), with no division required. Consider again n (mod 
p) where n is 3,991,652,149 and where p is now 257. When p is 257, q is equal 
to 8, from p = 2* + 1; 257 = 2» + 1 = 256 + 1 = 257. 

The (mod p) arithmetic can be accomplished by using the binary form 
10 of n, namely 11101101111010111100011100110101. Referring to Figure 6, the 
shifts and adds are accomplished by first latching the q (8) least significant bits 
(LSB's) 601 (00110101). The next q LSB's 602 of the remaining digits, namely 
11000111, are to be subtracted from q digits 601. To accomplish this, the l's 
complement of bits 602 is generated and a 1 is added to the MSB side to 
15 indicate a negative number, resulting in bits 602* (100111000). This negative 
number 602' is added to bits 601 to generate result 603 (101101101). The next q 
LSB's 604 of n, (11101011), are added to sum 603, generating result 605, 
(1001011000). Bits 606 of n (11101101) are to be subtracted from result 605. 
Therefore, the l's complement of bits 606 is generated and a negative sign bit 
20 of one is added on the MSB side to generate bits 606' (100010010). Bits 606' is 
added to result 605, to generate sum 607, (1101101010). 
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Sum 607 has more than q bits so the q LSB's are latched as bits 608 
(01101010). The next q bits (in this case, only two bits, 11) are added to bits 608, 
generating sum 610 (01101101). This sum, having q or fewer bits, is the 
solution to n (mod p). 01101101 = 26 + 25 + 23 + 2 2 + 2° = 64 + 32 +8 +4 + 1 = 
109. 

Example 4: Fast Cl ass mod arithmetic 

In the present invention, when p is a number of the class p = 2 fl - C, 
where C is and odd number and is relatively small, (e.g. no greater than the 
length of a digital word), the (mod p) arithmetic can be accomplished using 
only shifts and adds, with no division required. Consider again n (mod p) 
where n is 685 and where p is 13. When p is 13, q is equal to 4 and C is equal 
to 3, from p = 2 q - C; 13 = 2* - 3 = 16 - 3 = 13. 

The (mod p) arithmetic can be accomplished by using the binary form 
of n, namely 1010101101. Referring to Figure 7, the shifts and adds are 
accomplished by first latching the q (4) least significant bits (LSB's) 701 of n, 
namely 1101. The remaining bits 702 (101010) are multiplied by C (3) to 
generate product 703 (1111110). Product 703 is added to bits 701 to generate 
sum 704 (10001011). The q least significant bits 705 (1011) of sum 704 are 
latched. The remaining bits 706 (1000) are multiplied by C to generate product 
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707 (11000). Product 707 is added to bits 705 to generate sum 708 (100011). The 
q least significant bits 709 (0011) of sum 708 are latched. The remaining bits 
710 (10) are multiplied by C to generate product 711 (110). Product 711 is added 
to bits 709 to generate sum 712 (1001). Sum 712, having q or fewer bits, is the 
5 solution to n (mod p). 1001 = 2 3 + 2° = 8 + 1 = 9. 685 divided by 13 results in a 
remainder of 9. The fast class arithmetic provides the solution using only 
shifts, adds, and multiplies. 

.Shift and Add Implementation 

.0 

Fast Mersenne mod operations can be effected via a well known shift 
procedure. For p = 2^ - 1 we can use: 

x = (x & p) + (x » q) Equation (17) 

a few times in order to reduce a positive x to the appropriate residue value in 
the interval 0 through p - 1 inclusive. This procedure involves shifts and 
add operations only. Alternatively, we can represent any number x (mod p) 
by. 

x = a + b2(<7+l)/ 2 = {a,b) Equation (18) 



15 



20 
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If another integer y be represented as (c, d), we have: 

xy (mod p) = (ac + 2bd, ad + be) Equation (19) 

5 after which some trivial shift-add operations may be required to produce the 
correct reduced residue of xy. 

To compute an inverse (mod p), there are at least two ways to proceed. 
One is to use a binary form of the classical extended-GCD procedure. Another 
10 is to use a relational reduction scheme. The relational scheme works as. 
follows: 



Given p =2 q -I, x * 0 (mod p), 
to return x" 1 (mod p): 

15 

1) Set (a, b) = (1, 0) and (y, z) = (x, p); 

2) If (y == 0) retum(z); 

3) Find e such that 2 e // y; 

4) Set a = 21- e a (mod p); 
20 5) If(y == 1) return(a); 

6) Set {a, b) = {a+b, a-b) and (y, z) = (y+z, y-z); 

7) Go to (2). 
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The binary extended-GCD procedure can be performed without explicit 
division via the operation [a/bfo, defined as the greatest power of 2 not 
exceeding a/b : 

5 

Given p, and x^O (mod p), 
to return x' 1 (mod p): 



1) If ( X == 1) return(l); 

10 2) Set (x, vo) = (0, 1) and (u l# v x ) = (p, x); 

3) Set wo = [u 1 /u 1 ] 2 ; 

4) Set (x, v 0 ) = (i; 0 , r _ u 0 u 0 ) and (« X/ i^) = (v v u x _ k 0 i>i); 

5) If (u 1 == 0) return(x); else go to (3). 



15 The present invention may be implemented on any conventional or 

general purpose computer system. An example of one embodiment of a 
computer system for implementing this invention is illustrated in Figure 4. 
A keyboard 410 and mouse 411 are coupled to a bi-directional system bus 419. 
The keyboard and mouse are for introducing user input to the computer 

20 system and communicating that user input to CPU 413. The computer system 
of Figure 4 also includes a video memory 414, main memory 415 and mass 
storage 412, all coupled to bi-directional system bus 419 along with keyboard 
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410, mouse 411 and CPU 413. The mass storage 412 may include both fixed 
and removable media, such as magnetic, optical or magnetic optical storage 
systems or any other available mass storage technology. The. mass storage 
may be shared on a network, or it may be dedicated mass storage. Bus 419 

5 may contain, for example, 32 address lines for addressing video memory 414 
or main memory 415. The system bus 419 also includes, for example, a 32-bit 
data bus for transferring data between and among the components, such as 
CPU 413, main memory 415, video memory 414 and mass storage 412. 
Alternatively, multiplex data/address lines may be used instead of separate 

10 data and address lines. 

In the preferred embodiment of this invention, the CPU 413 is a 32-bit 
microprocessor manufactured by Motorola, such as the 68030 or 68040. 
However, any other suitable microprocessor or microcomputer may be 
15 utilized. The Motorola microprocessor and its instruction set, bus structure 
and control lines are described in MC68030 User s Manual, and MC68040 
User's Manual, published by Motorola Inc. of Phoenix, Arizona. 

Main memory 415 is comprised of dynamic random access memory 
20 (DRAM) and in the preferred embodiment of this invention, comprises 8 

megabytes of memory. More or less memory may be used without departing 
from the scope of this invention. Video memory 414 is a dual-ported video 
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random access memory, and this invention consists, for example, of 256 
kbytes of memory. However, more or less video memory may be provided as 
well. 

5 One port of the video memory 414 is coupled to video multiplexer and 

shifter 416, which in turn is coupled to video amplifier 417. The video 
amplifier 417 is used to drive the cathode ray tube (CRT) raster monitor 418. 
Video multiplexing shifter circuitry 416 and video amplifier 417 are well 
known in the art and may be implemented by any suitable means. This 

10 circuitry converts pixel data stored in video memory 414 to a raster signal 

suitable for use by monitor 418. Monitor 418 is a type of monitor suitable for 
displaying graphic images, and in the preferred embodiment of this 
invention, has a resolution of approximately 1020 x 832. Other resolution 
monitors may be utilized in this invention. 

15 

The computer system described above is for purposes of example only. 
The present invention may be implemented in any type of computer system 
or programming or processing environment. 
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Rlork Diagram 

Figure 8 is a block diagram of the present invention. A sender, 
represented by the components within dashed line 801, encrypts a plaintext 
5 message Ptxt to a ciphertext message C. This message C is sent to a receiver, 
represented by the components within dashed line 802. The receiver 802 
decrypts the ciphertext message C to recover the plaintext message Ptxt. 

The sender 801 comprises an encryption/decryption means 803, an 
10 elliptic multiplier 805, and a private key source 807. The 

encryption/decryption means 803 is coupled to the elliptic multiplier 805 
through line 809. The elliptic multiplier 805 is coupled to the private key 
source 807 through line 811. 

15 The encryption /decryption means 804 of receiver 802 is coupled to 

elliptic multiplier 806 through line 810. The elliptic multiplier 806 is coupled 
to the private key source 808 through line 812. 

The private key source 807 of the sender 801 contains the secure private 
20 password of the sender, "ourPri". Private key source 807 may be a storage 
register in a computer system, a password supplied by the sender to the 
cryptosystem when a message is sent, or even a coded, physical key that is 
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read by the cryptosystem of Figure 8 when a message is sent or received. 
Similarly, the private key source 808 of receiver 802 contains the secure 
private password of the receiver, namely, "theirPri". 

5 A separate source 813 stores publicly known information, such as the 

public keys ,, ourPub ,, and "theirPub" of sender 801 and receiver 802, the 
initial point (Xi, Y\), the field F k , and curve parameters a, b, c. This source of 

information may be a published directory, an on-line source for use by 
computer systems, or it may be transmitted between sender and receiver over 
10 a non-secure transmission medium. The public source 813 is shown 

symbolically connected to sender 801 through line 815 and to receiver 802 
through line 814. 



In operation, the sender and receiver generate a shared secret pad for 
15 use as an enciphering and deciphering key in a secure transmission. The 
private key of the sender, ourPri, is provided to the elliptic multiplier 805, 
along with the sender's public key, theirPub. The elliptic multiplier 805 
computes an enciphering key eK from (ourPri) ° (theirPub) (mod p). The 
enciphering key is provided to the encryption /decryption means 803, along 
20 with the plaintext message Ptxt. The enciphering key is used with an 

encrypting scheme, such as the DES scheme or the elliptic curve scheme of 
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the present invention, to generate a ciphertext message C The ciphertext 
message is transmitted to the receiver 802 over a nonsecure channel 816. 

The receiver 802 generates a deciphering key using the receivers 
5 private key, theirPri. TheirPri is provided from the private key source 808 to 
the elliptic multiplier 804, along with sender's public key, ourPub, (from the 
public source 813). Deciphering key D K is generated from {theirPri) ° (ourPub) 
(mod p). The deciphering key D K is equal to the enciphering key e K due to 
the abelian nature of the elliptic multiplication function. Therefore, the 
10 receiver 802 reverses the encryption scheme, using the deciphering key Dx, to 
recover the plaintext message Ptxt from the ciphertext message C. 

The encryption/ decryption means and elliptic multiplier of the sender 
801 and receiver 802 can be implemented as program steps to be executed on a 
15 microprocessor. 

Tnversionless P arameterization 

The use of fast class numbers eliminates division operations in (mod 
20 p) arithmetic operations. However, as illustrated by equations 13-16 above, 
the elliptic multiply operation M °" requires a number of division operations 
to be performed. The present invention reduces the number of divisions 
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required for elliptic multiply operations by selecting the initial 



parameterization to be inversioniess. This is accomplished by selecting the 
initial point so that the M Y" terms are not needed. 

In the present invention, both sender and recipient generate a shared 
secret pad, as a particular ^-coordinate on the elliptic curve. By choosing the 
initial point (Xi, Y\) appropriately, divisions in the process of establishing 
multiples n° (Xi, Y\) are eliminated. In the steps that follow, the form 



for integers n, denotes the coordinate (X n+m /Z n+m ). For x = X/Z the x- 
coordinate of the multiple n(x, y) as X n /Z n , is calculated using a "binary 
ladder" method in accordance with the adding-doubling rules, which involve 
multiply mod operations. For the Montgomery parameterization (Equation 
7c), these rules are: 



n *(X m /Z m ) 



Equation (20). 



if i*;: x i+j =z H (x l x j -z i z j y- 

Z i+j =X H (X I Z / -Z I X ; )2 



Equation (21) 
Equation (22) 



Otherwise, if i = j: 
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X 2f = (X,-2 - Z, 2 ) 2 Equation (23) 

Z 2 ; = 4 X.Zf (X, 2 + c XiZi + Z; 2 ) Equation (24) 

These equations do not require divisions, simplifying the calculations 
5 when the present invention is implemented in the present preferred 

embodiment. This is known as "inversionless parameterization" (due to the 
absence of division operations), and is described in "Speeding the Pollard and 
Elliptic Curve Methods of Factorization" Montgomery, P. 1987 Math. Comp., 
48 (243-264). When the field is simply F p this scheme enables us to compute 
10 multiples nx via multiplication, addition, and (rapid) Mersenne mod 

operations. This also holds when the field is F p 2. Because p = 3 (mod 4) for 
any Mersenne prime p, we may represent any X, or Z,- as a complex integer, 
proceeding with complex arithmetic for which both real and imaginary post- 
multiply components can be reduced rapidly (mod p). We also choose Z x = 1, 
15 so that the initial point on the curve is (X^l, y) where y will not be needed. 

Using both fast class numbers and inversionless parameterization, a 
public key exchange using the method of the present invention can proceed 
as follows. In the following example, the prime is a Mersenne prime. 
20 However, any of the fast class numbers described herein may be substituted. 
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1) At "our" end, use curve parameters (a, b, c), to compute a public key: 

ourPub e F u X F ;t 
p p 

(X/Z) = ourPri " (X^l) 
5 ourPub = XZ' 1 

2) At "their" end, use parameters (a, b, c) to compute a public key: 
theirPub e F pk X F pJt 

10 (X/Z) = theirPri ° (X t /1) 

theirPub = XZ' 1 

3) The two public keys ourPub and theirPub are published, and 
therefore are known. 

15 

4) Compute a shared secret pad: ourPad e F pJt X F pk 

(X/Z) = ourPri ° (theirPub/1) 
ourPad = XZ" 1 

20 

5) Compute a shared secret pad: theirPad e F k X F k 
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(X/Z) =t/ieirPn °(ourPub/l) 
theirPad = XZ' 1 

The usual key exchange has been completed, with 

5 

ourPad = theirPad 

Message encryption/decryption between "our" end and "their" end 
may proceed according to this mutual pad. 

10 

FFT Multiply 



For very large exponents, such as q > 5000, it is advantageous to 
perform multiplication by taking Fourier transforms of streams of digits. FFT 

15 multiply works accurately, for example on a 68040-based NeXTstation, for 
general operations xy (mod p) where p = 2 q - 1 has no more than q = 2 2 0 
(about one million) bits. Furthermore, for Mersenne p there are further 
savings when one observes that order-*? cyclic convolution of binary bits is 
equivalent to multiplication (mod 2^-1). The use of FFT multiply techniques 

20 results in the ability to perform multiply-mod in a time roughly proportional 
to q log q, rather than q^. 
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Elliptic curve algebra can be sped up intrinsically with FFT techniques. 
Let X denote generally the Fourier transform of the digits of X, this transform 
being the same one used in FFT multiplication. Then we can compute 
coordinates from equations 21-24. To compute X l+ y for example, we can use 
5 five appropriate transforms, (X\, Xj, Z y Zj, and Zj-p (some of which can have 
been stored previously) to create the transform: 

Ki+j = (KiKj - Z.iZj)^ 

10 In this way the answer Xj + y can be obtained via 7 FFTs. (Note that the 

usual practice of using 2 FFTs for squaring and 3 FFTs for multiplication 
results in 11 FFTs for the "standard" FFT approach). The ratio 7/11 indicates 
a significant savings for the intrinsic method. In certain cases, such as when 
p is a Mersenne prime and one also has an errorless number-theoretic 

15 transform available , one can save spectra from the past and stay in spectral 
space for the duration of long calculations; in this way reducing times even 
further. 

A flow diagram illustrating the operation of the present invention 
20 when using fast class numbers, inversionless parameterization and FFT 

multiply operations is illustrated in Figure 9. At step 901, a fast class number 
v is chosen where p = 2^ - C. The term q is the bit depth of the encryption 
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scheme. The greater the number of bits, the greater the security. For large 
values of q, FFT multiply operations are used to calculate p. The term p is 
made publicly available. 

At step 902, the element k for the field F k is chosen and made public. 
At step 903, an initial point (Xi/Z) on the elliptic curve is selected. By 
selecting the initial point to be inversionless, costly divides are avoided. The 
initial point is made public. The curve parameter a is chosen at step 904 and 
made public. 

At step 905, the sender computes X\/Z = ourPri ° (Xi/1) using 
inversionless parameterization. The sender's public key is generated ourPub 
= (XZ^Xmod p). The receiver's public key theirPub = (XZ' 1 )(mod p), is 
generated at step 906. 

A one time pad for the sender, ourPad, is generated at step 907. X/Z = 
(ourPri) ° (theirPub /l). ourPad = XZ-^rnod p ). At step 908, a one time pad for 
the receiver, theirPad, is generated. X/Z = (theirPri) ° (ourPub/1). theirPad = 
XZ-^mod p). The calculation of ourPad and theirPad utilizes FFT multiplies 
to eliminate the need to calculate the inversion Z' 1 . At step 909, the sender 
converts a plaintext message Ptxt to a ciphertext message C using ourPad. The 
ciphertext message C is transmitted to the receiver. At step 910, the receiver 
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recovers the plaintext message Ptxt by deciphering the ciphertext message C 
using theirPad. 

FEE Security 

5 

The algebraic factor Mq^ = 2 89 -l, which is a Mersenne prime, occurs 
with "natural" statistics when the elliptic curve method (ECM) was 
employed. This was shown in attempts to complete the factorization of M445 
= 2 445 - 1. In other words, for random parameters c (using Montgomery 

10 parameterization with a = 0, b = 1) the occurrence k(Xi/l) = O for elliptic 

curves over F p with p = Mg 9 was statistically consistent with the asymptotic 
estimate that the time to find the factor M^g of M445 be 0(exp(V(2 log p log log 
p)). These observations in turn suggested that finding the group order over 
Fp is not "accidentally" easier for Mersenne primes p, given the assumption 

15 of random c parameters. 

Secondly, to check that the discrete logarithm problem attendant to FEE 
is not accidentally trivial, it can be verified, for particular c parameters, that 
for some bounded set of integers N 

20 

(pN-lMXx/l) * O 
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The inequality avoids the trivial reduction of the discrete logarithm 
evaluation to the equivalent evaluation over a corresponding finite field. 
Failures of the inequality are extremely rare, in fact no non-trivial instances 
are known at this time for q > 89. 

5 

The present invention provides a number of advantages over prior art 
schemes, particularly factoring schemes such as the RSA scheme. The present 
invention can provide the same security with fewer bits, increasing speed of 
operation. Alternatively, for the same number of bits, the system of the 
10 present invention provides greater security. 

Another advantage of the present cryptosystem over prior art 
cryptosystems is the distribution of private keys. In prior art schemes such as 
RSA, large prime numbers must be generated to create private keys. The 
15 present invention does not require that the private key be a prime number. 
Therefore, users can generate their own private keys, so long as a public key is 
generated and published using correct and publicly known parameters. A 
user cannot generate its own private key in the RSA system. 
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DIGITAL SIGNATURE 

The present invention provides an improved method for creating and 
authenticating a digital signature that uses the elliptic algebra described above 
5 and a hashing or digesting function. The sender has prepared an encrypted 
message "ciphertext". This message may be encrypted as described above or 
may be encrypted using any other encryption scheme. The sender then 
creates a digital signature to append to the message as a way of "signing" the 
message. The signature scheme of the preferred embodiment is described 
- 10 below, followed by the method of reducing computations. 

Creation of Signature 

Assume a curve parameterized by a, b, c with starting point (Xi/1). 
15 Also assume the starting point to have order N on the elliptic curve. The 

sender's public key ourPub is generated as the multiple ourPri ° (Xi/1), where 
ourPri is our private key (an integer) and ° is multiplication on the elliptic 
curve. The digital signature is created as follows: 

20 1) Choose a random integer m of approximately q bits. 

2) Compute the point 
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P =m°(Xi/l). 

3) Using a message digest function M, compute the integer 

u = (m + our Pri * M(ciphertext, P)) (mod N) 

where ciphertext is the encrypted message to be sent. 

Along with the ciphertext, transmit the digital signature as the 
Note that u is an integer of about 2 q bits, while P is a point on the 

In the preferred embodiment of the present invention, a message 
digesting function M such as MD2 or MD5 is used as part of the creation of the 
digital signature. However, the present invention may be implemented 
using other digesting functions or by using any suitable hashing function. 

Authentication of D igital Signature 

The receiver attempts to authenticate the signature by generating a pair 
of points to match the digital signature pair, using the ciphertext message and 



4) 

pair (u, P). 
curve. 
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the public key of the purported sender. The receiver verifies the signature 
using the following steps: 

1) Using the u part of the signature, compute the point _ 

5 

Q= «°(Xi/l) 

2) Compare the point Q to the point 

10 R = P + M(ciphertext, P) ° ourPub 

The signature is invalid if these elliptic points Q and R do not compare 
exactly. In other words, if the signature is authentic, the following must hold: 

15 u ° (Xi/1) = P + M(ciphertext, P) ° ourPub 

Substituting for u on the left side of the equation above gives: 

(m + our Pri * M(ciphertext, P)) 0 (X\/l) = P + M(ciphertext, P) ° ourPub 

20 

or: 
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m ° (Xi/1) + (ourPn*M(ciphertext, P)) ° (Xi/1) = P + M(ciphertext, P) ° 
ourPub 

Substituting for ourPub on the right side of the equation yields: 

m 8 (Xi/1) + (ourPri*M(ciphertext, P)) ° (Xi/1) = P + M(ciphertext, P) ° 
ourPri ° (Xi/1) 

Since P = m ° (Xi/1) from above, the left side becomes: 

P + (o«rPn*M(ciphertext, P)) ° (Xi/1) = P + M(ciphertext, P) ° 
ourPri ° (Xi/1) 

Moving ourPri in the right side of the equation gives: 

P + ourPri*M(ciphertext, P)) ° (Xi/1) = P + our Pri*M (cipher text, P) ° 

(Xi/1) 

Thus, a point on a curve is calculated via two different equations using 
the transmitted pair (u, P). It can be seen that by calculating Q from the 
transmitted point u, and by calculating R from transmitted point P, the 
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ciphertext message, and the public key of the purported sender, the digital 
signature is assumed authenticated when Q and R match. 

Security 

5 

The digital signature scheme of this scheme is secure on the basis of the 
following observation. To forge a signature one would need to find a pair (u, 
P) and a ciphertext that satisfy the equation 

10 u ° (Xi/1) = P + M(ciphertext, P) ° ourPub 

This would either entail an elliptic logarithm operation (the basis of 
the encryption security of the present invention) or breaking of the hash 
function M. 

15 

Optimizing Authentication 

The recipient's final step in the digital signature scheme of the present 
invention involves the addition of two points; namely P and M(ciphertext, P) 
20 ° ourPub to yield R and comparing that sum to a point Q. One could perform 
the elliptic addition using specified y-coordinates at each step. The scheme of 
the present invention provides a method of deducing the possible values of 



BNSDOCID: <WO 9904531 A 1 1 > 



SUBSTITUTE SHEET (RULE 26) 



WO 99/04531 PCI7US98/14892 

54 



the x-coordinate of a sum of two points, using only the respective x- 
coordinates of the original two points in question. Using this method one 
may rapidly perform a necessity check on whether the points Q and the sum 
of P + M(ciphertext, P) ° ourPub have identical x-coordinates. 

A principle for fast verification of sums, using only x-coordinates, runs 
as follows. For example, using Montgomery parameterization, let the curve 
be 

y2 = x 3 + CX 2 + X 

Theorem: Let P T = (xi, yi ), P 2 = (*2, V2), and Q = (x, y) be three points on a 
<nven curve, with xi * xi, Then 



15 Pi + P2 = Q 

only if 

x (C-x) = B 2 



10 



20 



where 
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B = (xix 2 -D/(x 1 -x 2 ) 

C = 2 ((xix 2 + 1) (xi + x 2 + 2c) - 2c) / (X! - x 2 ) 2 

The proof is given as follows. Not knowing the y-coordinates of Pi and 
5 P2/ the only possibilities for the .^coordinate of the sum Pi + P 2 are / for any 
fixed pair (yi,y2)/ the respective x-coordinates (call them ej) of the two forms 
(xi,yi) ± (x2/ y2)- One can compute: 

10 e+/=C 

as in Montgomery, supra. Since x is one or the other of e,f it is necessary that 
(x - e)(x -/) = 0, whence the quadratic equation of the theorem holds. 

15 Thus, when using the x-coordinate scheme of the present invention, it 

is possible to have two solutions that satisfy (x - e)(x -f) = 0. One possible 
solution is therefore generated from an inauthentic signature. However, 
because there are literally millions of possible solutions, when (x -e)(x - f) = 0 
is satisfied, it can be safely assumed that the signature is authentic. 

20 

In practical application, Pi represents the calculated point P that is sent 
as part of the signature by the sender. P 2 represents the expression 
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M(ciphertext, P) ° ourPub. Q of course represents u ° (Xi/1). Pi + P2 
represents R and is compared to Q. 

Flow Diagrams 

5 

Figure 10 is a flow diagram illustrating the generation of a digital 
signature using the present invention. At step 1001, the sender chooses a 
random integer m. This random integer can be generated using a suitable 
random number generator for use with a microprocessor. At step 1002 a 
10 point P is calculated using m. As noted above, this point is generated using 
the relation P = m °(X\/\). in the preferred embodiment of the present 
invention. However, other schemes may be used for generating point P 
without departing from the scope of the present invention. 

15 At step 1003, a second number, u, is calculated using m, P, ourPri, and 

the ciphertext message. In the preferred embodiment of the invention, this is 
generated using the relationship u = m -h our Pri * M(ciphertext, P). As noted 
above, hashing functions other than digesting functions MD2 and MD5 can be 
used. In addition, other relationships can be used to calculate u. It is 

20 recommended that if other relationships are used, that m, P, ourPri and the 
ciphertext message be used. At step 1004, the calculated pair (u, P) is sent as a 
digital signature. 
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Figure 11 is a flow diagram illustrating the authentication of a digital 
signature in the present invention. At step 1101 the recipient of the message 
receives the digital signature (u, P) and the ciphertext message. At step 1102 
5 the point Q is generated using the point u. In the preferred embodiment, the 
relationship Q = u °{X\/1) is used to generate Q. Other relationships may be 
used depending on what relationships were used to calculate u, P by the 
sender. 

10 At -step- 1103, a point P2 is generated using ourPub and the ciphertext 

message. In the preferred embodiment, the relationship M(ciphertext, P) 0 
ourPub is used to generate P2. Other relationships may be used depending on 
what relationships were used to calculate u, P by the sender. 

At step 1104, the x values of Pi and Po are used to determine values B 
and C and ultimately, e and /. This leads to two possible x values for the sum 
of Pi and P2. At decision block 1105 the argument "e,/= x?" is made to 
determine if either of the possible x values satisfies the equality of Pi + P2 = Q- 
If neither of the calculated x values satisfy the equation, that is, if the 
argument at decision block 1105 is false, the signature is not authentic and is 
indicated at block 1106. If one of the x values does satisfy the equation, that is, 
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if the argument at decision block 1105 is true, a valid signature is assumed 
and indicated at block 1107. 

Block Diagram 

5 

Figure 12 illustrates a block diagram for implementing the digital 
signature scheme of the present invention. Where elements of Figure 12 are 
in common with elements of Figure 8, the same element numbers are used. 
The signature scheme is shown in use with an encryption scheme that uses 
10 elliptic multiplication, but this is by way of example only. The present 
invention can be used with any type of encryption scheme. 

A sender, represented by the components within dashed line 1201, 
encrypts a plaintext message Ptxt to a ciphertext message C and generates a 
15 signature (u, P). This message C and signature (u, P) is sent to a receiver, 
represented by the components within dashed line 1202. The receiver 1202 
decrypts the ciphertext message C to recover the plaintext message, and 
authenticates the signature (it, P). 

20 The sender 1201 comprises an encryption/decryption means 1203, an 

elliptic multiplier 805, a random number generator 1205, a hasher 1207, and a 
private key source 807. The encryption /decryption means 1203 is coupled to 
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the elliptic multiplier 805 through line 809. The elliptic multiplier 805 is 
coupled to the private key source 807 through line 811. The random number 
generator 1205 provides random number m on line 1209 to elliptic multiplier 
805 and to hasher 1207. Elliptic multiplier 805 provides the number u to the 
5 nonsecure channel 816 via line 1211. The encrypted ciphertext C is provided 
to hasher 1207 via line 1213. Hasher 1207 provides point P to nonsecure 
channel 816 via line 1215. 

The encryption/decryption means 1204 of receiver 1202 is coupled to 
elliptic multiplier 806 through line 810. The elliptic multiplier 806 is coupled 
to the private key source 808 through line 812. The number u is provided to 
the elliptic multiplier 806 from the nonsecure channel 816 via line 1212. 
Elliptic multiplier 806 generates point Q and provides it to comparator 1208 
via line 1216. Hasher 1206 receives the ciphertext message C and point P from 
nonsecure channel 816 via line 1210, and ourPub from source 813 via line 
1218. Hasher 1206 outputs point R to comparator 1208 via line 1214. 

The private key source 807 of the sender 801 contains the secure private 
password of the sender, "ourPri". Private key source 807 may be a storage 
20 register in a computer system, a password supplied by the sender to the 
cryptosystem when a message is sent, or even a coded, physical key that is 
read by the cryptosystem of Figure 12 when a message is sent or received. 



10 



15 
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Similarly, the private key source 808 of receiver 802 contains the secure 
private password of the receiver, namely, " their Pri". 

A separate source 813 stores publicly known information, such as the 

5 public keys "ourPub" and "theirPub" of sender 1201 and receiver 1202, the 
initial point {x\, y\), the field F fc/ and curve parameters a, b, c. This source of 

information may be a published directory, an on-line source for use by 
computer systems, or it may transmitted between sender and receiver over a 
non-secure transmission medium. The public source 813 is shown 
10 symbolically connected to sender 1201 through line 815 and to receiver 1202 
and hasher 1206 through lines 814 and 1218 respectively. 

In operation, the sender and receiver generate a common one time pad 
for use as an enciphering and deciphering key in a secure transmission, as 

15 described above. The enciphering key is provided to the 

encryption /decryption means 1203, along with the plaintext message. The 
enciphering key is used with an encrypting scheme, such as the DES scheme 
or the elliptic curve scheme of the present invention, to generate a ciphertext 
message C. The random number generator 1205 generates random number 

20 m and provides it to elliptic multiplier 805. Elliptic multiplier 805 generates 
number u and provides it to the receiver via nonsecure channel 816. The 
ciphertext message C is provided to the hasher 1207, along with the random 
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number m and ourPri. Hasher 1207 generates point P and provides it to 
nonsecure channel 816. The ciphertext message, along with signature (u, P), 
is transmitted to the receiver 1202 over a nonsecure channel 816. 

5 The receiver 1202 generates a deciphering key Dk using the receiver's 

private key, theirPri. TheirPri is provided from the private key source 808 to 
the elliptic multiplier 806, along with sender's public key, ourPub, (from the 
public source 813). Deciphering key Dk is generated from {theirPri) ° (ourPub) 
(mod p). The deciphering key Dk is equal to the enciphering key ejc due to 
10 the abelian nature of the elliptic multiplication function. Therefore, the 

receiver 1202 reverses the encryption scheme, using the deciphering key Djo 
to recover the plaintext message from the ciphertext message C. 

The elliptic multiplier 806 of the receiver 1202 receives the number u 
15 from the nonsecure channel 816. The elliptic multiplier 806 generates point 
Q and provides it to comparator 1208. Hasher receives the ciphertext message 
C and point P from the nonsecure channel 816 and the purported senders 
public key ourPub from source 813 and generates point R, which it provides 
to comparator 1208. Comparator 1208 compares points Q and R and if they 
20 match, the signature is assumed to be valid. In the present invention, the 
comparison of points Q and R is accomplished using the optimized scheme 
using x values described above. 
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The encryption /decryption means and elliptic multiplier of the sender 
1201 and receiver 1202 can be implemented as program steps to be executed on 
a microprocessor. 

5 

ptPTrrT EMBEDDING 

The present invention takes advantage of the fact that parcels of text 
can be mapped to one of two curves E±. Using a receivers public key, the 
10 sender generates and sends as a triple a message coordinate, a clue value, and 
a sign, to the receiver. Using the clue and the receiver's private key, the text 
parcel may be decrypted from the message coordinate. In the expansionless 
form, the sender and receiver use their shared secret pad to compute shared 
clues so that each message coordinate is sent with a one-bit sign. 



15 



Elliptic curves generated using fast elliptic algebra described above are 
sufficiently special (i.e. rightly defined), that any parcel of plaintext will embed 
directly and naturally on one of only two possible curves. We call these 
curves the "+" curve and the "-" curve. 



20 
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£?cpayisiQntegs Direct Embedding 

A further refinement of this invention reduces the size of the 
encrypted parcels by eliminating the clue component of each triple. This is 
5 achieved by establishing means of generating clues in synchrony between 
sender and receiver. For example, we may use the method of direct 
embedding above to securely send two random numbers r, s from the sender 
to the receiver. The sender computes the first clue as 

10 cluei = r ° ourPri ° theirPub 

and similarly, the* receiver computes the same clue as 

cluei = r ° theirPri 0 ourPub 

15 

Subsequent clues can be formed on both sides by performing an elliptic 
addition operation as follows: 

clue„+i = clue n + s°P 

20 

where P is the initial point on the curve. 
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As in direct embedding, an embedded message parcel point P te xt is 
ellipticly added to clue to form the message point and the recovery clue g is 
computed and sent, now as only a pair: (message, g). 

piliptic Cn rvp Operations 

As is shown below, the sender of direct embedded plaintext sends a bit 
to identify which of the curves is to be used at the receiver's end so that 
decryption can be accomplished. 

The idea of direct embedding is to embed parcels of plaintext on the 
elliptic curve itself. Say that a point P tex t is a curve point that contains a parcel 
of plaintext to be encrypted. Using fast elliptic curve algebra described above, 
it is possible to transmit the triple consisting of a pair of points and a single bit 

(Ptext + r' theirPub, r' Pj, g) 

(in practice, only sending pairs of x-coordinates and one bit are sent rather 
than pairs of curve points per se and one bit) where r is a random integer. 
Think of this transmission qualitatively as: 
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(message, clue, parity) 

At "their" end, the receiver uses the "clue" and "parity" and their 
private key "theirPri" to deduce the plaintext from the "message." The parity 
5 bit is an overall sign result depending on the curve ambiguity and the sign 
ambiguities of quadratic forms. 

The direct embedding of text is understood by reviewing the following 
elliptic curve relationships. 

10 

We concentrate herein on the case of fields Fp* where 
p = 2 q - 1 



15 is the Mersenne prime. The elliptic curve in question, call it E, is assembled 
to be comprised of points P = [x,y) EFpXFp satisfying: 

s y 2 = x 3 + c x 2 + b x + fl 

20 where the sign s of the curve is restricted to be either +1 or -1, and c * 2, 
together with a "point at infinity" O. Note that we use boldface for actual 
curve points. That is, the notation so far means: 



BNSOOCID: <WO 9904531A1_I_> 



SUBSTITUTE SHEET (RULE 26) 



WO 99/04531 



66 



PCT/US98/I4892 



x, y are both integers (mod p) 

P, a point on the curve, is a pair {x,y), 
5 or possibly the abstract "point at infinity" O 

E is the set of all P 

A powerful classical result -Is Hasse's theorem, that \E\ the order of the curve; 
10 i.e., the total number of points P, is close to v itself in the sense that 

| I El -p-l| <2 yfp 

■ The elliptic curve E, if equipped with a certain operation between its 
15 points, becomes an additive group. The point O is the additive identity, while 
the group law of addition works as follows. For two non-O points 

Pi = (*i, yi) p 2 = ta, y2) 

20 we define the curve addition 
p 3 = ? 1 + P 2 = (x 3 , y 3 ) 
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and subtraction 

P 4 = P! - P 2 = (x 4 ,, y 4 ) 

5 

via the relations for the Montgomery parameterization a = 1, b = 0: 



x 3 = 5 — — — I — c - x, — x-> ; 
\ x \- x 2) 



10 x 3 = j—^ \ ' lf x i ~ x 2 

4x 1 (.t 1 + cxj + lj 



together with the negation rule: 
-Pi = -yi) 

15 

It may then be derived that, for x\ ^ x? the sum and difference x- 
coordinates are related via: 



x 3 x i = F(x l ,x 2 ):=( X f 2 A 
\ x \- x 2 J 



20 
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x 3 + x 4 = G(xi, x 2 ) : = (X1 . X2)2 ( ( x l x 2 + D (*1 + *2 + 2c) - 2c) 

These defined functions F, G figure in the theory of direct embedding. 
Note that the G function in particular can be written alternatively, as: 

G(xi / x 2 )= (X1 2 X2) 2 (*l Q(*2) + *2<2(*i)) 
where the Q function is the defining quadratic form for the elliptic curve; viz. 

Q(z) = z 2 + cz + 1 

Elliptic multiplicati on ladder 

In actual implementations, rapid elliptic curve multiplication is 
performed via the inversionless parameterization system of [Montgomery 
1987], in which the y-coordinate is ignored. For some point P = (Xi, y) we 
define the n-th multiple of P , denoted n ° P, as the elliptic sum of n copies of 
P. (When integer n = 0 we interpret 0 0 P as the abstract point O). Now 
denote the x-coordinate of the multiple n ° P by X n /Z n with Z\ = 1 
understood. The integers X n , Z n can be evaluated via a binary ladder method 
in accordance with certain adding-doubling rules. These rules can be derived 
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from the basic addition/subtraction laws previous, and take the form of 
equations 21, 22, 23 and 24 above. 

Mersenne mod operation 

5 

The elliptic multiplication ladder involves, through the adding- 
doubling rules, multiply-mod operations. These operations can be made 
efficient. Also the single inverse Z* 1 required to resolve a key or pad can be 
effected rapidly. In any case, all arithmetic may proceed with multiplications, 
10 shifts, and adds; resulting in a division-free system. 

Fast Mersenne mod operations can be effected as described in 
connection with equations 17, 18, and 19 above. An inverse (mod p) can be 
computed as described above following equation 19. 

15 

There is also a recursive-inverse algorithm, based on polynomial-GCD 
methods, which in actual practice takes time 0(q\og m q) for some small 
integer m. The inverse times are competitive with cumulative FFT multiply 
techniques such as described above. 

20 
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TTTCOttEMS 

The following theorems provide support for the direct embedding 
scheme of the present invention. 

5 

ThPorem 1 

For a point P on elliptic curve E, and integers m, n we have 
10 mn ° P = nm ° P = m(n ° P) = n(m ° P) 

This illustrates the rules of commutativity and associativity. 



ThPnrpm 2 



15 



For given parameters a = 0, b = 1, c * 2, an arbitrary integer x is a valid x 
-coordinate of some point lying on one of the two fast elliptic curves: 



E±: ±y 2 = xQ(x) 

20 



Note that because p is a Mersenne prime and thus = 3(mod 4), an 
integer s = xQ(x) is either a square or its negative is. 
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Let Pi = {x\, yi), P2 = (x2, yi) and assume P3 = Pi + P2 = (*3/ y3)- Then X3 
5 must satisfy: 

Case xi * *2 : The quadratic relation *3(G(xi, X2) - X3) = F(xi, X2) 2 
Casexi=X2: The relation X3 = (xi 2 - l) 2 /(4xiQ(xi)) 

10 Theorem 4 

Let Pi = (xi, yi), Pi = (X2, y2) and xi * x?. Denote: 

P3 = Pi + P2 = (*3, y 3 ). 
15 P 4 = Pi - P 2 = (*4, y4). 

Then x 3 is one of the following two values: 

(xiQ(x 2 ) + xzQCn) ± 2(x 1 Q(x 1 )x 2 Q(x 2 ))(P +1 )/ 4 )/((x l - x 2 ) 2 ) 

20 

while .T4 is the other value. 
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The above results from solving the quadratic relation of Theorem 3 
above to give: 

F ± Vf 2 - 4G 2 
x 3 - 2 

5 

The square root of a square «(mod p), for p = 3(mod 4) is always plus 
minus a(P + iV 4 (mod p). 

Theorem 5 

10 

For arbitrary integer x(mod p), being on one of the curves E± the 
correct sign + or - is given by whichever sign holds in: 

(xQ{x))(P + = ±xQ(x) (mod p) 

15 

If xQ(x) is 0, the + curve is used. 
nTRFrT FMBFDDI Mn ALGORITHM 

20 Assume: 

Parameters q, a=0, b:=±l, c*2, giving rise to two possible elliptic 

curves E ± ; 
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Two public initial x-coordinates Xl± such that two points 



P x + = [Xi+, ?) 



pf = (xr ?) 



10 



15 



lie respectively on the curves E ± . Note that the y coordinate 
(denoted as M ? M ) can be ignored when using fast elliptic algebra. 

The existence of a pair of public keys: theirPub^ generated from the 
single private key theirPri according to: 

(theirPub* ?) = theirPri * P^ 

Plaintext is to be broken up into parcels of no more than q bits each; 
i.e., a parcel is a value (mod p). 

The existence of a function elliptic_add (x lf x 2 , s) that computes one 
of x 3 or X4 from Theorem 4 above by using the sign s; or from 
Theorem 3 in the rare case xi = X2- 
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To encrypt a plaintext parcel x text : 

1. Determine, from Theorem 5, for which of the two curves E±- the 
parcel x text is a valid x-coordinate. Denote said curve by sign 

s =±1. 

2. Choose random r, and calculate (x q , ?) := r ' (theirPub-, ?), using 
the ladder arithmetic described above. 

3. Calculate a message coordinate x m := elliptic_add(x text , x q , + 1) 

4. Calculate a clue x c using the random r and the public points as 
(x c , ?) := r • P^. 

5. Determine which sign in elliptic_add (x m , x q , ±1) = x text is valid 
and call this sign g. 

6. Transmit the triple of the message coordinate, the clue and the 
sign to the sender as (.r m , x c , g) 
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To decrypt a parcel of plaintext: 

1. Assuming receipt of (x m , x c , g), use the clue x c to compute an x- 
coordinate x q from 

(x q , ?) :=theirPri ' (x c , ?) 

2. Recover plaintext as: 

x text := elliptic_add (x m , x c ,g) 

A software implementation of Algorithm 3 is attached at the end of 
this document, as Appendix code. In actual implementation, it is possible to 
perform the random integer elliptic multiplication (by r) only periodically, so 
as to reduce execution time. It turns out in practice that the multiplication by 
r is actually more costly even than the exponentiation embodied in, say, 
Theorem 4. 

Flow Diagram For D irect Embedding 

Figure 13 is a flow diagram of encrypting a plaintext message using 
direct embedding. At step 1301 divide the plaintext into parcels of no more 
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than q bits each. For each parcel x text , determine at step 1302 for which of two 
curves E± the parcel is a valid x -coordinate. This can be accomplished by use 
of Theorem 5 described above. At step 1303 denote the appropriate curve by 
sign = ±1. 

5 

At step 1304 choose a random r. At step 1305 calculate (x q , ?) = r ° 
(theirPub±, ?). This may be accomplished using ladder arithmetic. At step 
1306 calculate a message coordinate x m . This can be accomplished by x m := 
elliptic_add(x text , x q , +1) or any other suitable method. The clue is calculated 
10 at step 1307. This may accomplished by (x c , ?) := r 0 P^. 

At step 1308 define as g the sign that holds for x tex t- This sign may be 
determined by testing if elliptic_add (x m/ x q , +1) equals x text . At step 1309 
transmit the message coordinate, the clue, and the sign as a triple to the 
15 receiver in the form (x m , x c , g). 

Figure 14 is a flow diagram of decrypting the encrypted message of 
Figure 13. At step 1401 receive a triple (x m , x C/ g) from sender. At step 1402 
compute an x-coordinate x q from (x q , ?) -theirPri ° {x c , ?). The plaintext can 
20 then be recovered at step 1403 by x text := elliptic_add (x m , x c , g). 
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Expansionless Direct Embedding Algorithm 
To encrypt a series of plaintext parcel x te xt n - 

5 1. Select two random numbers r,se F^and transmit them to the 

receiver, for instance, by using the direct embedding algorithm. 

2. Compute initial clues for both curves by computing 

10 clue = r ° ourPri ° theirPub ± 

s = s op± 



3. For plaintext parcel x text| - determine for which of the two curves 

xtextj is a valid point (or, for which Xtext; * s a valid coordinate). 

15 

4. Using the correct curve points, calculate a message coordinate 

mi := elliptic_add(xtext,v clue/, +1) 

20 5. Determine which sign in elliptic_add(m{, clue;, ±1) recovers x te xtj 

and call this sign g. 



BNSOOCID: <WO 9904531A1_I_> 



SUBSTITUTE SHEET (RULE 26) 



WO 99/04531 PCI7US98/14892 

78 



10 



15 



20 



6. Transmit the pair (m,,g). 

7. For subsequent parcels, compute 

cluei+i = elliptic_add(r ° clue,, s, +1) 
and repeat steps 3-6. 
To decrypt a series of pairs (m, g): 

1. Recover random numbers r, s and compute initial clues as follows: 

clue = r 0 theirPri ° ourPub* 
s = s°P ± 

2. For each pair (m, g), determine which curve holds the point m. 

3. Recover plaintext via the following operation upon the points from 

the determined curve: 

elliptic_add(clue, m, g) 
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4. Recompute clue for the subsequent pair 

clue,*! = elliptic_add(r ° clue,, s, +1) 

5 Flow Diagram For Expansionless Direct Embedding 

Figure 15 is a flow diagram of encrypting a plaintext message using 
expansionless direct embedding. At step 1500, the plaintext is divided into 
parcels of no more than q bits each. Two random numbers, r and s, are 
10 selected at step 1501, and transmitted to the receiver in step 1502. At step 1503, 
initial clues, clue and s, are determined for both curves using random 
numbers r and s. 

At step 1504, for each parcel xtext, the sender determines for which of 
15 two curves £± the parcel is a valid ^-coordinate. The message coordinate is 
calculated at step 1505 using m; := elliptic_add(x t ext„ clue/, +1). At step 1506, 
the sender determines which sign in elliptic_add(m,-, clue,, ±1) recovers x t ext, 
and denotes the sign as g. 

20 At step 1507, the current pair (m, g) is transmitted to the receiver, and 

the next clues are computed in step 1508 using the previous clue and random 
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numbers r and s. After step 1508, the process returns to step 1504 to encrypt 
the next parcel. 

Figure 16 is a flow diagram for decrypting the encrypted message of 
5 Figure 15. At step 1600, the receiver recovers the random numbers r and s 
transmitted by the receiver, and at step 1601, random numbers r and s are 
used to determine the initial clues. In step 1602, the receiver recovers the pair 
(m, g) transmitted by the sender. For the current pair (m, g), at step 1603, the 
receiver determines which of the elliptic curves holds the point m. Using 
10 points from the determined curve, the plaintext parcel is recovered at step 
1604 using elli P tic_add(clue, m, g). In step 1605, the next clues are computed 
based on the previous clues and random numbers r and s. After step 1605, the 
process returns to step 1602 for the next parcel. 

15 Code 

An example of code written in Mathematica for implementing 
encryption and decryption using direct embedding is as follows: 

20 (* Elliptic algebra functions: FEED format. 

y A 2 = x A 3 + c x A 2 + a x + b. 

Montgomery: b = 0, a = 1; 
25 Weierstrass: c = 0; 
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Atkin3: c = a = 0; 
Atkin4: c = b = 0; 

Parameters c, a, b, p must be global. 
5 *) 

elleven[pt_] := Block[{xl = pt([l]], zl = pt[[2]], e, f |, 

e = Mod[(xl A 2 - a zl A 2) A 2 - 4 b (2 xl + c zl) zl A 3, p]; 
f = Mod[4 zl (xl A 3 + c xl A 2 zl + a xl zl A 2 + b zl A 3), p]; 
10 Return[{e,f)] 

1; 

ellodd[pt_, pu_^ pv_] := Block[ 

{xl=pt[[l]],zl = pt[[2]], 
x2 = pu[[l]] / z2 = pu[[2]] / 
xx = pv[[l]], zz = pv[[2]], i, j}, 
i = Mod[zz ((xl x2 - a zl z2) A 2 - 

4 b(xl z2 + x2 zl -t- c zl z2) zl z2), p]; 
j = Mod[xx (xl z2 - x2 zl) A 2, p]; 
Return [(i,j}] 



bitList[k_] := Block[{li = {}, j = k}, 
While[j > 0, 

li = Append(li, Mod[j,2]]; 
j = Floor[j/2]; 

I 

Retum[Reverse[li]]; 
I 

elliptic[pt_^ kj := Block[(porg, ps, pp, q}, 

If[k ==1, Retumfpt]]; 
If[k ==2, Retum(elleven[pt]]]; 
35 porg = pt; 

ps = ellevenfpt]; 

PP = P 1 ; 

bitlist = bitList[k]; 



15 



20 



25 



30 
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Dot 

Lf[bitlist([q]] == 1, 

pp = ellodd[ps, pp, porg]; 

ps = elleven[ps], 

5 ps = ellodd[pp, ps, porg]; 

pp = elleven[pp] 

]. 

{q,2,Length(bitlist]} 

10 Return[Mod[pp,p]] 
1; 

ellinv[n_] := PowerMod[n,-l,p]; 
ex[pt_] := Mod[pt[[l]] * eUinv[pt([2]]], p]; 
squareQ[x_] := PowerMod[x, (p-l)/2, p] != (p-1); 
15 pointQ[x_] := squareQ[x A 3 + c x A 2 + a x + b]; 

(* Direct embedding algorithm (FEED). *) 

20 elladd[xl_, x2_, sgnj := Block({u2, v), 
If[xl == x2, Retum[ 

Mod[(xl A 2-a) A 2 PowerModl4(xl A 3 + c xl A 2 + a xl + b), -1, pj,pl 

v ='Mod[((xl x2 - a) A 2-4b(xl-t-x2+c)) ellinv[xl-x2] A 2, p]; 
25 u2 = Mod[ ((xl x2 + a)(xl + x2) + 2c xl x2 + 2b) * 
ellinv[xl-x2] A 2 ( p]; 

Mod[u2 + sgn* 
PowerMod[u2 A 2 - v, (p+l)/4, p], p] 

I 

30 

q = 192; k = 1425; 
p = 2 A q-k; 

Dlfll - 784108200761398366290921608521201859235598965892403224095^ 
35 pltAri {303?920912793661852507451928975086461250567208 

aPri = 4434334; 
bPri = 418245599585; 
aPub[l] = elliptic[pl[l], aPri]; 
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aPub[-l] = elliptic[pl[-l], aPri]; 
bPub[l] = eiliptic[pl[l], bPri]; 
bPub[-l] = elliptic[pl[-l], bPri]; 

5 xp = 11111111333377; (* Plaintext. *) 
curve = If[pointQ[xp], 1, -1]; 
Printfxp," ".curve]; 

(* next, test parcel with various random integers r. *) 
10 Do( 

r = Random[Integer, 32767]; 
xq = ex[eUiptic[bPub[curve], r]]; 
xm = elladd[xp, xq, +1]; 

xc = ex(elliptic[pl [curve], r]]; (* Senders clue. *) 
15 g = If[xp == elladd[xm, xq, +1], 1, -1]; 

Print[ Transmit: ",{xm, xc, g}]; 
Print["Decrypt: M , 

elladd[xm, ex[elliptic[(xc,l}, bPri]], g]]; 

,(qq,l,9} 

20 ]; 



A function to compare signatures using the optimized scheme is as 
follows: 



25 int 

signature_compare ( key pi. key p2 , key p3); 

/* Returns non-zero if x(pl) cannot be the x-coordinate of the sum of 
cwo points whose respective x-coordinates are x{p2), 
x(p3). •/ 

30 

A function to calculate Q and compare it with (P + M(ciphertext, 
P)°ourPub) is as follows: 



q = new_public_f rom_private (NULL, depth, seed) ; 
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elliptic_mul (q. u) ; /* u is the random integer. 
elliptic_mul (our, m) ; /' m = M(cipertext, P) . */ 
/* Next, use the transmitted point p. */ 
if (signature_compare (p, our, q) ) 
5 fprintf (stderr, 'Signature invalid. \n" ) ; 



PnrrypHon /Decryption 



The encryption /decryption schemes of the present invention can be 
10 implemented in the programming language C. The following are examples 
of programmatic interfaces (.h files) and test programs (.c files) suitable for 
implementing the encryption /decryption of the present invention. 



15 



30 



35 



/* fee.h 

© 1991 NeXT Computer, Inc. All Rights Reserved. 



20 # import " giants. h" 

•define DEFAULTERS ION 1 #define DEFAULT_DE?TH 4 *define ^FAOLT-SEED 0 
•define MAX DEPTH 22 •define FEE.TOKEN "scicompg" 8 define BUF.SIZE 819<i 
•define KEyItOO_SHORT 1 Sdefine ILLEGAL_CHARS_IN_KEY 2 •define BAD.TOKEN 
25 3 #def ine VERSION_PARAM_MISMATCH 4 ttdefine DEPTH_PARAM_MISMATCH 5 
•define SEED_PARAM_MISMATCH 6 #define EXP_PARAM_MISMATCH 7 #define 
A_PARAM_MISMATCH 8 *define X1_PARAM_MISMATCH 9 



typedef giant padkey; 

typedef struct { 

int version; int depth; int seed; int exp; mt a; int xl ; 

padkey x; 

} keys true t; typedef keys true t *key; 

int hexstr_illegal(char -pub.hex) ; /• Returns non-zero iff pub.hex is 
not a valid hex string. */ 
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void hexs tr_to_key ( char *str, key public) ; /* Jams public (assumed pre- 
malloced) with hex scr contents. */ 

5 char * new_hexstr_f rom.key (key public); /* Mallocs and returns a hex 
string representing public. */ 

key new_ public_f rom_private ( char 'private, int depth, int seed); /* 
Mallocs and returns a new public key. If 'pr ivate==NULL, depth and seed 

10 are ignored, and the returned key is simply malloc'ed but without 

meaningful parameters. If private is a valid string, depth and seed are 
used to establish correct elliptic parameters, depth is 0 to MAx_DEPTH 
inclusive, while seed = DEFMJLT_SEED usually, but may be chosen to be 
any integer in order to change the encryption parameters for the given 

15 depth. The depth alone determines the time to generate one-time pads. 
•/ 

char w new_hexstr_f rom_pad { ) ; /* Malloc's and returns a hex string, 
null -terminated, representing the one-time pad. This function is usually 
20 called- after a make_one_cime__pad ( ) call. 
•/ 

void generate_byte_pad ( char *byte_pad, int len) ; /* Jams byte_pad with 
len bytes of the one-time pad. There is no null termination; just len 
25 bytes are modified. 
*/ 

int make_one_time_pad (char -private, key public); / * Calculate the 
internal one-time pad. ■/ 

30 

void free_key{key pub); /* De-allocate ah allocated key. */ 

void NXWritePublic (NXStream *out, key my_pub) ; /* Write a key co out 
stream. */ 

35 

void NXReadPublic (NXStream *in, key pub); /• Read a key from in stream. 
V 

int keys_inconsistent (key publ, key pub2 ) ; /* Return non-zero if publ, 
40 pub2 have inconsistent parameters. 
•/ 

int encrypt_stream( NXStream -in, NXStream *out, key their_pub, key 
my_pub, char *my_pri); /* Encrypt in to out. If my_pub ! =NULL , a 
45 consistency check for equivalent parameters with their_pub is performed. 
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with possible non-zero error returned (and encryption aborted) . 
Otherwise, when my_pub==NULL , an internal key is temporarily created for 
insertion into the out stream. 
*/ 

int decrypt_stream(NXStream *in, NXStream 'out, char *my_pri); /* 
Decrypt in to out. Non-zero error value is recurned if an internal token 
(that should have been present in the in stream) is not properly 
decrypted. 
10 •/ 

void set„crypt_params(int *depth, int *exp, int *a, int *xl, int -seed) ; 
void str_to_giant (char *str, giant g) ; 

15 

int ishex(char *s); 

void byte_to_hex ( int b, char *s) ; 
20 void hex_to_byte (char *s, int *b) ; 
int hexstr_to_int (char **s); 
int int_to_hexstr ( int n, char *str) ; 
int giant_to_hexstr (giant g, char *str); 
void make_base ( int exp) ; 
30 void init_elliptic ( ) ; 
padkey get_pad() ; 

void ell.even (giant xl ( giant zl, giant x2 ( giant z2, int a, int q) ; 

void ell_odd<giant xl, giant zl, giant x2 , giant z2 , giant xor, giant 
zor, int q) ; 

int scompg(int n, giant g); 

40 

void elliptic(giant xx, giant zz, giant k, int a, int q) ; 
unsigned char byt (padkey x, int k) ; 
45 int vers ion_param( key pub) ; 



25 



35 
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int depth_param(key pub) ; 
int seed_param(key pub) ; 

5 

int exp_param ( key pub) ; 
int a_pararo ( key pub) ; 
10 int xl_param(key pub) ; 
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/* keytest.c 

Test program for public key exchange, Usage: > keytest depth 
MyPrivate Their Pri vate 

© 1991 NeXT Computer, Inc. All Rights Reserved 

*/ 

#import <stdio.h> #import <s tr earns/ streams . h> #import "fee.h" 

main(int argc, char **argv) ( 

key my_pub, their _jpub; char *my_pub_str, * their_pub_str ; char 
•padstr; int depth; 

if(argc<4) { 

fprintf (stderr , -Usage: keytest depth MyPrivate 
TheirPrivate\n" ) ; exit(0); 

} 

depth = atoi (argv(l) ) ; my_pub = 

new_public - from_private(argv[2] , depth, DEFAULT^ SEED) ; 
their_pub = new_public_f rom_private ( argv [ 3 1 , depth, 
DEFAULT_SEED) ; 

my_pub_str = new_hexstr_f rom_key (my__pub) ; their_pub_str = 
new_hexstr_.f rom_key ( their_pub) ; 

printf ("My Public Key : \n%s\n- , my__pub_str ) ; printf ( "Their 
Public Key: \n%s\n" , their_pub_str ) ; 

f ree (my_pub_str ) ; f ree ( their_pub_s tr ) ; 

make_one_time__pad(argv[2] , their_pub) ; padstr = 
new_hexstr_from_pad() ; print f ( "One-time pad, using My Private 
and Their Public : \n%s \n" , padstr ) ; f ree (padstr ) ; 

make_one_time_pad(argv[3 ) , my_pub) ; padstr = 
new_hexstr_f rom_pad( ) ; printf ( "One-time pad, using Their 
Private and My Public : \n%s\n" ,padstr) ; free (padstr ) ; 

f reejcey (my_pub) ; f ree_key ( their_pub) ; 

printf {"The two one-time pads should be equivalent . \n" ) ; 
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/* solencrypt.c 

Solitaire encryption for personal files, Usage: > solencrypt <depch> 
file file. ell Private Key: 

5 © 1991 NeXT Computer, Inc. All Rights Reserved 

*/ 



iimport <stdio.h> ttimport <streams /streams . h> ^import "fee.h" 

10 maindnt argc, char **argv) ( 

key my_pub; int depth; char *my_pri ; NXStream * inStream, 
♦outStream; 

if(argc<3) { 

15 fprintf (stderr . "Usage: solencrypt <depth> file f ile . ell\nPrivate Key: 
\nwhere depth is an integer 0 through 22. def ault = 4 . \n" ) ; 

exit(0); } if(argc==4) depth = acoi ( argv ( 1 1 ) ; else depth = 
DEFAULT_DEPTH; 

20 /* Next, open the screams. */ 

inStream = NXMapFile ( argv [argc -2 ] , NX_READONLY) ; outStream = 
NXOpenMemory ( NULL ( 0 , NX_WRITEONLY ) ; 

25 /* Next, get private key, make public key, encrypt stream, blank the 
private key in memory. V 



my_pri = (char * ) getpass ( " Private Key: ■ ) ; my_pub = 
r.ew_public_f rom__private (my_pri , depth, DEFAULT_SEED) ; 
30 encrypt_s t ream ( inStream, outStream, my_pub , my_pub , my__pri ) ; 

bzero (my_pri , strlen (my_pri ) ) ; f ree_key ( my_pub) ; 

/* Next, flush and write. */ 

35 NXFlush ( inStream) ; NXFlush ( outStream) ; NXSaveToFile ( outStream, 

argv[argc-l] ) ; NXClose ( inStream) ; NXCloseMemory (outStream, 
NX_FREEBUFFER) ; 
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/» soldecrypt .c 

Solitaire encryption for personal files. Usage: > soldecrypt file. ell 
file Private Key: 

© 1991 NeXT Computer, Inc. All Rights Reserved 

•/ 

#import <stdio.h> #import <streams/ streams . h> # import "fee.h" 

main(int argc, char **argv) ( 

char *my_ pri; NXStream *inStream, *outStream; int err; 

if(argc<3) ( 

fprintf (stderr. -Usage: soldecrypt file. ell 
f ile\nPrivate Key: \n M ) ; exit(0); 

} 

/* Next, open the streams. */ 

inStream = NXMapFi le ( argv [ 1 ] , NX_READONLY) ; outStream = 
NXOpenMemo ry ( NULL , 0 , NX_WRITEONLY ) ; 

/* Next, decrypt the stream and blank the private key in memory. */ 

my_pri = (char •) getpass f Private Key: -); err = 
decrypt_scream{ inStream, outStream, my_pri); bzero < my_pri . 
strlen(my_pri) ) ; if (err) ( 

fprintf (stderr, "Error %d: bad private key.\n" # err); 

exit (0) ; 

} 

/* Next, write and close. */ 

NXSaveToFile (outStream, argv[2]); NXClose ( inStream) ; 
NXCloseMemory (outStream, NX_FREEBUFFER ) ; 
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CLAIMS QF THE INVENTION 

1. A method for encrypting a plaintext message in a sender 
computer system comprising the steps of: 
5 selecting a parcel of plaintext Xtext; 

determining for which of two elliptic curves E+ and E" *text is a valid 
coordinate; 

generating a message coordinate x m using a random value r, a public 
key from a public key/ private key pair, and XtextJ 
10 generating a clue value x c ; 

generating a sign value g; 

representing said encrypted message by said message coordinate, said 
clue, and said sign. 

15 2. The method of claim 1 wherein said message coordinate, said 

clue, and said sign are transmitted to a receiver. 

3. The method of claim 2 wherein said public key is a public key of 
said receiver. 

20 
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4. The method of claim 1 wherein said step of determining for 
which of two curves x tex t is a valid coordinate is accomplished by the 
following steps: 

assuming q, a=Q, b=±l, c*2, giving rise to two possible elliptic curves E*; 
assuming two public coordinates xi* such that two points Pi + and Pi- 
lie respectively on curves E+ and E'; 

determining the sign of the curve for which rr tex t is a valid coordinate 

by 

(x te xtQ(^text)) ( P * 1)72 = ±*textQ(*text) (mod p) 
p = 3(mod 4). 

5. The method of claim 4 wherein the step of generating a message 
coordinate is accomplished by the following steps: 

choosing random r, and calculating {x q , ?) := r 4 (theirPub^, ?); 
calculating a message coordinate .r m := elliptic_add(.T text , x qj + 1) 

6. The method of claim 5 wherein said step of generating a clue x c 
is accomplished by (x c , ?) := r • Pf 1 . 

7. The method of claim 6 wherein said step of determining said 
sign g is accomplished by which sign holds in elliptic_add (x m , x q , +1) = x t ext. 
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8. The method of claim 7 further including the steps of: 
at said receiver, generating Xq from said clue x c ) 
recovering the plaintext by x text := elliptic_add {x m , x c , g). 

5 9. An article of manufacture comprising: 

a computer usable medium having computer readable program code 
embodied therein for encrypting a plaintext message using elliptic curve 
algebra, the computer readable program code in said article of manufacture 
comprising; 

10 computer readable program code configured to cause a computer to 

select a parcel of plaintext x text ; 

computer readable program code configured to cause a computer to 
determine for which of two elliptic curves £ + and E' Xtext is a valid 
coordinate; 

15 computer readable program code configured to cause a computer to 

generate a message coordinate x m using a random value r, a public key from a 

public key /private key pair, and xtext; 

computer readable program code configured to cause a computer to 

generate a clue value x c ; 
20 computer readable program code configured to cause a computer to 

generate a sign value g; 
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computer readable program code configured to cause a computer to 
represent said encrypted message by said message coordinate, said clue, and 
said sign. 

5 10. The article of manufacture of claim 9 wherein said message 

coordinate, said clue, and said sign are transmitted to a receiver. 

11. The article of manufacture of claim 10 wherein said public key is 
a public key of said receiver. 

10 

12. The article of manufacture of claim 9 wherein said computer 
readable program code configured to cause a computer to determine for 
which of two curves x text is a valid coordinate comprises computer readable 
program code configured to cause a computer to perform the following steps 

15 of: 

assuming q, a=0, b=±l, c*2, giving rise to two possible elliptic curves E±; 
assuming two public coordinates x x ± such that two points Pi + and Pi- 
lie respectively on curves £ + and E"; 

determining the sign of the curve for which x tex t is a valid coordinate 

20 by 

(x t extQ(*text))<P + 1)/2 = ±*textQ(*text) (mod p) 
p = 3(mod 4). 
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13. The article of manufacture of claim 12 wherein the computer 
readable program code configured to cause a computer to generate a message 
coordinate comprises: 

computer readable program code configured to cause a computer to 
choose random r, and calculate {x q , ?) := r * (theirPub* ?); 

computer readable program code configured to cause a computer to 
calculate a message coordinate x m := elliptic_add(x text , x q , +1) 

14. The article of manufacture of claim 13 wherein said computer 
readable program code configured to cause a computer to generate a clue x c 
comprises computer readable program code configured to cause a computer to 
compute (x c , ?) := r • P^. 

15. The article of manufacture of claim 14 wherein said computer 
readable program code configured to cause a computer to determine said sign 
g comprises computer readable program code configured to cause a computer 
to determine which sign holds in elliptic_add (x m , x q , +1) = x text 

16. The article of manufacture of claim 15 further including: 
computer readable program code configured to cause a computer to, at 

said receiver, generate Xq from said clue x c ; 
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computer readable program code configured to cause a computer at said 
receiver to recover the plaintext by x text := elliptic_add (x m , x c , g). 

17. A method for encrypting a plaintext message comprising the 

5 steps of: 

selecting two random numbers r and s; 

generating an initial clue clue 0 using said random number r, a public 
key from a first public key/private key pair, and a private key from a second 
public key/private key pair; 
10 selecting a parcel of plaintext xtext,-; 

determining for which of two elliptic curves E + and E" x te xt« is a valid 

coordinate; 

generating a message coordinate m; using x te xt,- and a current clue 

clue,; 

15 generating a sign value g; 

representing said encrypted message by the pair (m;, g); and 
for a subsequent parcel, generating a subsequent clue clue (+1 using said 
current clue clue/ and said random numbers r and s. 

20 !8. The method of claim 17 further comprising the steps of: 

transmitting said random numbers r and s from a sender to a receiver; 

and 
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transmitting said encrypted message from said sender to said receiver. 

19. The method of claim 18 wherein said public key is a public key of 
said receiver and said private key is a private key of said sender. 

5 

20. The method of claim 17 wherein said step of generating said 
initial clue clueo comprises the step of computing: 

clueo = r ° ourPri ° theirPub* 
where ourPri comprises said private key and theirPub* comprises said public 
10 key. 

21. The method of claim 17 wherein said step of determining for 
which of two elliptic curves E + and £- x tex ti is a valid coordinate comprises 

the steps of: 

assuming q, a=0, b=±l, 2, giving rise to two possible elliptic curves 

E±; 

assuming two public coordinates xi ± such that two points Pi + and Pi- 
lie respectively on curves E + and £•; and 

determining the sign of the curve for which *text r ' is a valid point by 
(^text/Q^text,))^"^ 1 )/ 2 = ±X t extiQ(Xtexti) (mod p) 
p = 3 (mod 4). 



15 



20 
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22. The method of claim 17 wherein the step of generating said 
message coordinate comprises the step of computing 
mi := elliptic_add(x textl , clue,-, +1). 

5 23. The method of claim 17 wherein said step of generating said sign 

g comprises the step of determining which sign recovers x te xt; when 
elliptic_add(m,-, clue,-, ±1) is computed. 

24. The method of claim 17 wherein said step of generating said 
10 subsequent clue clue, + i comprises the steps of: 

computing s = s ° P±; and 

computing clue.+i = elliptic_add(r 0 clue/, s, +1). 

25. The method of claim 18 further comprising the following steps 

15 performed at said receiver: 

determining said initial clue clueo from said random number r, a 
private key of said first public key/private key pair, and a public key of said 
second public key/private key pair; 

determining which elliptic curve holds the point m,; 
20 computing elliptic_add(clue,-, m„ g) to determine x te x ti ; and 

computing subsequent clue clue l+1 using current clue clue. and said 
random numbers r and s. 
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26. An article of manufacture comprising: 

a computer usable medium having computer readable program code 
embodied therein for causing a computer to encrypt a plaintext message using 
5 elliptic curve algebra, said computer readable program code comprising: 

computer readable program code configured to cause a computer to 
select two random numbers r and s; 

computer readable program code configured to cause a computer to 
generate an initial clue clueo using said random number r, a public key from a 
10 first public key/ private key pair, and a private key from a second public 
key/private key pair; 

computer readable program code configured to cause a computer to 
select a parcel of plaintext x text .; 

computer readable program code configured to cause a computer to 
15 determine for which of two elliptic curves E + and E' Xtextf is a valid 

coordinate; 

computer readable program code configured to cause a computer to 
generate a message coordinate m{ using xtext; and a current clue clue/; 

computer readable program code configured to cause a computer to 
20 generate a sign value g; 

computer readable program code configured to cause a computer to 
represent said encrypted message by the pair (mi, g); and 
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computer readable program code configured to cause a computer to 
generate, for a subsequent parcel, a subsequent clue clue (+ i using said current 
clue clue,- and said random numbers r and s. 

27. The article of manufacture of claim 26 further comprising: 
computer readable program code configured to cause a computer to 

transmit said random numbers r and s from a sender to a receiver; and 

computer readable program code configured to cause a computer to 

transmit said encrypted message from said sender to said receiver. 



10 



28. The article of manufacture of claim 27 wherein said public key is 
a public key of said receiver and said private key is a private key of said 
sender. 

15 29. The article of manufacture of claim 26 wherein said computer 

readable program code configured to cause a computer to generate said initial 
clue clueo comprises computer readable program code configured to cause a 
computer to compute: 

clueo = r ° ourPri ° theirPub* 

20 where ourPri comprises said private key and theirPub* comprises said public 

key. 
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30. The article of manufacture of claim 26 wherein said computer 
readable program code configured to cause a computer to determine for 
which of two elliptic curves E + and E* r text| . is a valid coordinate comprises 
computer readable program code configured to cause a computer to: 

assume q, a-0, b=±l, c* 2, giving rise to two possible elliptic curves E±; 
assume two public coordinates xi* such that two points Pi + and Pr lie 
respectively on curves E + and E~; and 

determine the sign of the curve for which xtext[ is a valid coordinate by 

(^text^QC^text,))^^ 1 )/ 2 = ±r t extfQ(xtext«) (mod p) 

p = 3 (mod 4). 

31. The article of manufacture of claim 26 wherein said computer 
readable program code configured to cause a computer to generate said 
message coordinate comprises computer readable program code configured to 
cause a computer to compute mi := elliptic_add(x t ext,-, clue,, +1). 

32. The article of manufacture of claim 26 wherein said computer 
readable program code configured to cause a computer to generate said sign g 
comprises computer readable program code configured to cause a computer to 
determine which sign recovers xtext,- when elliptic_add(mi, clue;, ±1) is 
computed. 
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33. The article of manufacture of claim 26 wherein said computer 
readable program code configured to cause a computer to generate said 
subsequent clue clue, + i comprises: 

computer readable program code configured to cause a computer to 

compute s = s ° P±; and 

computer readable program code configured to cause a computer to 

compute clue, + i = elliptic_add(r ° clue,-, s, +1). 

34. The article of manufacture of claim 27 further comprising 
computer readable program code configured to cause a computer at said 
receiver to perform the following steps of: 

determining said initial clue clue 0 from said random number r, a 
private key of said first public key/private key pair, and a public key of said 
second public key/private key pair; 

determining which elliptic curve holds the point m i; 

computing elliptic_add(clue,-,m t/ g) to determine x textl ; and 

computing subsequent clue clue I+ i using current clue due; and said 
random numbers r and s. 
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